Re: [PATCH] soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Shawn,

On 8/24/21 11:41 AM, Shawn Guo wrote:

From: Shawn Guo <shawn.guo@xxxxxxxxxx>

It's been observed on Sony Xperia M4 Aqua phone, that wcnss firmware has
the type of the second segment holding hashes just be PT_LOAD.  So drop
the check on phdrs[1].p_type to get it go on that phone.

Signed-off-by: Shawn Guo <shawn.guo@xxxxxxxxxx>
---
  drivers/soc/qcom/mdt_loader.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index eba7f76f9d61..6034cd8992b0 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -98,7 +98,7 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len)
  	if (ehdr->e_phnum < 2)
  		return ERR_PTR(-EINVAL);
- if (phdrs[0].p_type == PT_LOAD || phdrs[1].p_type == PT_LOAD) 
+	if (phdrs[0].p_type == PT_LOAD)
  		return ERR_PTR(-EINVAL);
if ((phdrs[1].p_flags & QCOM_MDT_TYPE_MASK) != QCOM_MDT_TYPE_HASH)
Konrad (on the CC-list) originally came up with a similar patch to make his Sony phone boot (Xperia XZ, MSM8996). We however concluded that this solution is wrong, for the simple fact that the code below expects a PT_NULL header with data in the right place. Skipping this check most likely means that the code below will read out of bounds since the mdt file isn't large enough; this data is supposed to be read from an external file as indicated by the meaning of PT_LOAD. We built a solution for this, and fortunately CAF independently submitted a similar solution to the lists a while ago which is more thorough: 

https://lore.kernel.org/linux-arm-msm/1609968211-7579-1-git-send-email-sidgup@xxxxxxxxxxxxxx/
It's been a while since I last compared mdt files with and without PT_LOAD, but this is the conclusion I remember coming to:
The code that packs the hash from program header 1 tightly after the ELF header in program header 0 doesn't actually need to run, since our mdt binaries already contain the signature in that place; the bytes aren't used for anything else. Simply sending the contents of the entire file as-is (similar to our downstream kernels) worked just fine (of course files beyond the size of the mdt file still have to be appended from .bXX files, and I'm not sure why this isn't checking for PT_LOAD program-header type there). 

- Marijn
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux