soc: qcom: mdt_loader: Validate that p_filesz < p_memsz

Message ID	20210107233119.717173-1-bjorn.andersson@linaro.org
State	Accepted
Commit	84168d1b54e76a1bcb5192991adde5176abe02e3
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; From: Bjorn Andersson <bjorn.andersson@linaro.org> To: Andy Gross <agross@kernel.org>, Bjorn Andersson <bjorn.andersson@linaro.org>, Siddharth Gupta <sidgup@codeaurora.org> Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] soc: qcom: mdt_loader: Validate that p_filesz < p_memsz Date: Thu, 7 Jan 2021 15:31:19 -0800 Message-Id: <20210107233119.717173-1-bjorn.andersson@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	soc: qcom: mdt_loader: Validate that p_filesz < p_memsz \| expand soc: qcom: mdt_loader: Validate that p_filesz < p_memsz

Message ID

20210107233119.717173-1-bjorn.andersson@linaro.org

State

Accepted

Commit

84168d1b54e76a1bcb5192991adde5176abe02e3

Headers

Received-SPF: pass (google.com: domain of
	linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18
	as permitted sender) client-ip=23.128.96.18; 
From: Bjorn Andersson <bjorn.andersson@linaro.org>
To: Andy Gross <agross@kernel.org>,
	Bjorn Andersson <bjorn.andersson@linaro.org>,
	Siddharth Gupta <sidgup@codeaurora.org>
Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
Date: Thu,  7 Jan 2021 15:31:19 -0800
Message-Id: <20210107233119.717173-1-bjorn.andersson@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

soc: qcom: mdt_loader: Validate that p_filesz < p_memsz | expand

Commit Message

Bjorn Andersson Jan. 7, 2021, 11:31 p.m. UTC

The code validates that segments of p_memsz bytes of a segment will fit
in the provided memory region, but does not validate that p_filesz bytes
will, which means that an incorrectly crafted ELF header might write
beyond the provided memory region.

Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>

---
 drivers/soc/qcom/mdt_loader.c | 8 ++++++++
 1 file changed, 8 insertions(+)

-- 
2.29.2

Comments

Sibi Sankar April 8, 2021, 11:18 a.m. UTC | #1

Hey Bjorn,
Thanks for the patch!

On 1/8/21 5:01 AM, Bjorn Andersson wrote:
> The code validates that segments of p_memsz bytes of a segment will fit

> in the provided memory region, but does not validate that p_filesz bytes

> will, which means that an incorrectly crafted ELF header might write

> beyond the provided memory region.

> 

> Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")

> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>

> ---

>   drivers/soc/qcom/mdt_loader.c | 8 ++++++++

>   1 file changed, 8 insertions(+)

> 

> diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c

> index e01d18e9ad2b..5180b5996830 100644

> --- a/drivers/soc/qcom/mdt_loader.c

> +++ b/drivers/soc/qcom/mdt_loader.c

> @@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,

>   			break;

>   		}

>   

> +		if (phdr->p_filesz > phdr->p_memsz) {

> +			dev_err(dev,

> +				"refusing to load segment %d with p_filesz > p_memsz\n",

> +				i);

> +			ret = -EINVAL;

> +			break;

> +		}

> +


Reviewed-by: Sibi Sankar <sibis@codeaurora.org>


>   		ptr = mem_region + offset;

>   

>   		if (phdr->p_filesz && phdr->p_offset < fw->size) {

> 


-- 
Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc, is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

patchwork-bot+linux-arm-msm@kernel.org April 9, 2021, 4 p.m. UTC | #2

Hello:

This patch was applied to qcom/linux.git (refs/heads/for-next):

On Thu,  7 Jan 2021 15:31:19 -0800 you wrote:
> The code validates that segments of p_memsz bytes of a segment will fit

> in the provided memory region, but does not validate that p_filesz bytes

> will, which means that an incorrectly crafted ELF header might write

> beyond the provided memory region.

> 

> Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")

> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>

> 

> [...]


Here is the summary with links:
  - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
    https://git.kernel.org/qcom/c/84168d1b54e7

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index e01d18e9ad2b..5180b5996830 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -230,6 +230,14 @@  static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
 			break;
 		}
 
+		if (phdr->p_filesz > phdr->p_memsz) {
+			dev_err(dev,
+				"refusing to load segment %d with p_filesz > p_memsz\n",
+				i);
+			ret = -EINVAL;
+			break;
+		}
+
 		ptr = mem_region + offset;
 
 		if (phdr->p_filesz && phdr->p_offset < fw->size) {

soc: qcom: mdt_loader: Validate that p_filesz < p_memsz

Commit Message

Comments

Patch