From patchwork Thu Aug 17 07:23:47 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Pitre <nicolas.pitre@linaro.org>
X-Patchwork-Id: 9905157
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0DB3F6038C for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 17 Aug 2017 07:35:02 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0017628ABB
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 17 Aug 2017 07:35:02 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E82CB28ABF; Thu, 17 Aug 2017 07:35:01 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 777E128ABB
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 17 Aug 2017 07:35:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References:
	In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=3hUvUt8MQ0CGWSORw65Uurr1R2wI7MEJ9c0sbUyUWtg=;
	b=ZpzHsP4P4cteWXzexWCOm4MsZy
	GrnbWB6LF15yLuNi8qQbStE/z1+H/MQaQhi/luCeFNGXhbzrae5cQbLqG7zcGpURvwcVVDgGJni3u
	G7jteWNscDL6fWQDrlJ3JUqbIc+DmI3BPE5OMfSkrmuqOxBj8YUdWbIxqE7MqTHp+CpwZe763237N
	4T4au9c/nsKXhpkpcPf4gR7yVR7P+hhZi9BfvxHovim20rL+CQnW6uBN1O8zbJ1BIp1W8khsQOf5G
	RMMRmOzjMFsfGyyYNOvwoLTboxGw9G587zCEjYW4tBfrWqsMbkyGan+cB9eQMklYXkMuCp3ec3E3s
	tvlGodxw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1diFKS-00048N-Sv; Thu, 17 Aug 2017 07:34:56 +0000
Received: from casper.infradead.org ([85.118.1.10])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1diFJ0-0002Uy-G0 for linux-arm-kernel@bombadil.infradead.org;
	Thu, 17 Aug 2017 07:33:26 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209;
	h=References:In-Reply-To:Message-Id:Date:
	Subject:Cc:To:From:Sender:Reply-To:MIME-Version:Content-Type:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=IhLYZH4IhzV6tqLIp5SPp2cTYa1sWu59E9W0F/pC6o0=;
	b=trwTRe0em6IQdNtRi3Qn0NRF5
	ttTJH9JLdFpwo9HKvrLH4P48Xw9kkL+rPGbBrBg6O/WexoQ7RZRTgA8fhsiBnnDgCpk52iZOBZDaS
	4+xF9ke1j5XfO8qvEjQSej/9jJCVQf0yf5jv/BPCf3BtpmVWSWf8Gjmmdcre99joAEHNq2J+Iec6z
	hWWcY1UCmqosMuRNLnVNDPwzalJzzzdxzkXikV9jw5RS2pUzFFffo0MF2Wf64K38GOqA5KWlelpCw
	CZ9Pa++TcPbEembXFcXUReKHWJCdCF1mKgYWYmQOvASArRigsHdZz986rC7YlQkdhIv+7M6SKH1mX
	H47xJ8RDA==;
Received: from pb-smtp1.pobox.com ([64.147.108.70] helo=sasl.smtp.pobox.com)
	by casper.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1diFAP-0001A8-W8 for linux-arm-kernel@lists.infradead.org;
	Thu, 17 Aug 2017 07:24:37 +0000
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1])
	by pb-smtp1.pobox.com (Postfix) with ESMTP id DBD2C9FF0E;
	Thu, 17 Aug 2017 03:24:10 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc
	:subject:date:message-id:in-reply-to:references; s=sasl; bh=pfZ7
	DMPZdLwXf84UQU3DPvlKXVE=; b=lX7dibexAtwqBf2XxIVWBp1IopI65CYqh6Zm
	aAzlMSCWoax5JsgyXgMh+LeSiWsYGIg+uX+XrSd6sh6zFezaiDd0m3a4jz0xA70w
	1dRyWe/LvduYGRdsW5uxuL+aVxqOLFux0HDrtSE6DUHwsjC/3hqbBGysonLv8Nsf
	Vs9+EM4=
Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1])
	by pb-smtp1.pobox.com (Postfix) with ESMTP id D47829FF0D;
	Thu, 17 Aug 2017 03:24:10 -0400 (EDT)
Received: from yoda.home (unknown [70.80.200.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 621E09FF0A;
	Thu, 17 Aug 2017 03:24:10 -0400 (EDT)
Received: from xanadu.home (xanadu.home [192.168.2.2])
	by yoda.home (Postfix) with ESMTP id 46DCD2DA06FD;
	Thu, 17 Aug 2017 03:24:09 -0400 (EDT)
From: Nicolas Pitre <nicolas.pitre@linaro.org>
To: Russell King - ARM Linux <linux@armlinux.org.uk>,
	linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 8/8] binfmt_elf_fdpic: fix crash on MMU system with
	dynamic binaries
Date: Thu, 17 Aug 2017 03:23:47 -0400
Message-Id: <20170817072347.19990-9-nicolas.pitre@linaro.org>
X-Mailer: git-send-email 2.9.5
In-Reply-To: <20170817072347.19990-1-nicolas.pitre@linaro.org>
References: <20170817072347.19990-1-nicolas.pitre@linaro.org>
X-Pobox-Relay-ID: 
 10053E32-831D-11E7-BB46-FE4B1A68708C-78420484!pb-smtp1.pobox.com
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170817_082434_166935_C4995581 
X-CRM114-Status: GOOD (  16.13  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: "Mickael Guene ." <mickael.guene@st.com>,
	Alexandre Torgue <alexandre.torgue@st.com>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

In elf_fdpic_map_file() there is a test to ensure the dynamic section in
user space is properly terminated. However it does so by dereferencing
a user address directly. Add proper user space accessor.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
Tested-by: Vincent Abriou <vincent.abriou@st.com>
---
 fs/binfmt_elf_fdpic.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 692e2a1fd2..6a56dea138 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -835,6 +835,9 @@ static int elf_fdpic_map_file(struct elf_fdpic_params *params,
 			if (phdr->p_vaddr >= seg->p_vaddr &&
 			    phdr->p_vaddr + phdr->p_memsz <=
 			    seg->p_vaddr + seg->p_memsz) {
+				Elf32_Dyn __user *dyn;
+				Elf32_Sword d_tag;
+
 				params->dynamic_addr =
 					(phdr->p_vaddr - seg->p_vaddr) +
 					seg->addr;
@@ -847,8 +850,9 @@ static int elf_fdpic_map_file(struct elf_fdpic_params *params,
 					goto dynamic_error;
 
 				tmp = phdr->p_memsz / sizeof(Elf32_Dyn);
-				if (((Elf32_Dyn *)
-				     params->dynamic_addr)[tmp - 1].d_tag != 0)
+				dyn = (Elf32_Dyn __user *)params->dynamic_addr;
+				__get_user(d_tag, &dyn[tmp - 1].d_tag);
+				if (d_tag != 0)
 					goto dynamic_error;
 				break;
 			}