Re: [PATCH v4] soc: qcom: mdt_loader: Add Upperbounds check for program header access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/14/2024 11:27 AM, Auditya Bhattaram wrote:


On 2/14/2024 11:12 AM, Bjorn Andersson wrote:
On Tue, Feb 13, 2024 at 01:30:10PM +0530, Auditya Bhattaram wrote:
hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH
is found. Add an upperbound check to phdrs to access within elf size.


How is this compatible with what is being observed on SM8450 and
implemented in commit 8bd42e2341a7 ("soc: qcom: mdt_loader: Allow hash
segment to be split out"?

Regards,
Bjorn


Calculating hash_index is introduced with this commit 8bd42e2341a7 ("soc: qcom: mdt_loader: Allow hash segment to be split out"

     for (i = 1; i < ehdr->e_phnum; i++) {
      if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) ...

I'm trying to add an upper bound for this access "phdrs[i]"


Any further questions on this Bjorn.

Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in any segment")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Auditya Bhattaram <quic_audityab@xxxxxxxxxxx>
Acked-by: Mukesh Ojha <quic_mojha@xxxxxxxxxxx>
---
Changes in v4:
  - Added additional prints incase of Invalid access.
Link to v3 https://lore.kernel.org/stable/1c91c653-cebe-4407-bdd6-cfc73b64c0fb@xxxxxxxxxxx Link to v2 https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@xxxxxxxxxxx/T/#t Link to v1 https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@xxxxxxxxxx/T/#t
---
  drivers/soc/qcom/mdt_loader.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index 6f177e46fa0f..1a79a7bba468 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -145,6 +143,13 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len,
      if (phdrs[0].p_type == PT_LOAD)
          return ERR_PTR(-EINVAL);

+    if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) {
+        dev_err(dev,
+            "Invalid phdrs access for fw: %s, e_phnum: %u, fw->size: %zu\n",
+            fw_name, ehdr->e_phnum, fw->size);
+        return ERR_PTR(-EINVAL);
+    }
+
      for (i = 1; i < ehdr->e_phnum; i++) {
          if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) {
              hash_segment = i;
--
2.17.1





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux