[PATCH v4] soc: qcom: mdt_loader: Add Upperbounds check for program header access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH
is found. Add an upperbound check to phdrs to access within elf size.

Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in any segment")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Auditya Bhattaram <quic_audityab@xxxxxxxxxxx>
Acked-by: Mukesh Ojha <quic_mojha@xxxxxxxxxxx>
---
Changes in v4:
 - Added additional prints incase of Invalid access.
Link to v3 https://lore.kernel.org/stable/1c91c653-cebe-4407-bdd6-cfc73b64c0fb@xxxxxxxxxxx
Link to v2 https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@xxxxxxxxxxx/T/#t
Link to v1 https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@xxxxxxxxxx/T/#t
---
 drivers/soc/qcom/mdt_loader.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index 6f177e46fa0f..1a79a7bba468 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -145,6 +143,13 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len,
 	if (phdrs[0].p_type == PT_LOAD)
 		return ERR_PTR(-EINVAL);

+	if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) {
+		dev_err(dev,
+			"Invalid phdrs access for fw: %s, e_phnum: %u, fw->size: %zu\n",
+			fw_name, ehdr->e_phnum, fw->size);
+		return ERR_PTR(-EINVAL);
+	}
+
 	for (i = 1; i < ehdr->e_phnum; i++) {
 		if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) {
 			hash_segment = i;
--
2.17.1





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux