From patchwork Fri Jan 20 10:21:03 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 92048
Delivered-To: patch@linaro.org
Received: by 10.182.3.34 with SMTP id 2csp685553obz;
 Fri, 20 Jan 2017 02:22:35 -0800 (PST)
X-Received: by 10.200.48.110 with SMTP id g43mr11032832qte.277.1484907755650; 
 Fri, 20 Jan 2017 02:22:35 -0800 (PST)
Return-Path: <linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org>
Received: from bombadil.infradead.org (bombadil.infradead.org.
 [65.50.211.133]) by mx.google.com with ESMTPS id
 s49si4579315qtb.234.2017.01.20.02.22.35 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 20 Jan 2017 02:22:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org
 designates 65.50.211.133 as permitted sender)
 client-ip=65.50.211.133; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org
 designates 65.50.211.133 as permitted sender)
 smtp.mailfrom=linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org;
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
 by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
 id 1cUWL3-00021w-7P; Fri, 20 Jan 2017 10:22:33 +0000
Received: from mail-wm0-f45.google.com ([74.125.82.45])
 by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
 id 1cUWL0-0001ui-ED for linux-arm-kernel@lists.infradead.org;
 Fri, 20 Jan 2017 10:22:32 +0000
Received: by mail-wm0-f45.google.com with SMTP id c206so36400435wme.0
 for <linux-arm-kernel@lists.infradead.org>;
 Fri, 20 Jan 2017 02:22:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id;
 bh=TJfjKfIHVjTTJFKTyWdOmexansJPKd/N6wqsyD97Wi0=;
 b=NI2wftqSBiCDDdvHzxveCaav0HH26Z6Bi44oQo5siHbvh3DGLAEUuxtiBuCGv4RQw5
 03GRGu6c8Q0OfqUXK2X6Fu/XG7EesiFEkoUXeaqDblWorW48zga935NSBnyhZZ+Czoir
 CtKzfqzo6EmKa80jykxdOu1hQU9Kz8lQsNO5g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=TJfjKfIHVjTTJFKTyWdOmexansJPKd/N6wqsyD97Wi0=;
 b=dzjcg7+B7wGq+iQsf9s3AroSSjiUg/V1Lcgs7pS5oDjwwdlJkxqxcY3ZQ/w6wCEHDP
 RiZbPrub3UJqjJURhHXF99I5am978FH/9fMLNlRRobJ7ktsehK+C4i98Ehl7/2HE0gOn
 kE5JW97RHtIhEBYv3jHtaw5HxXCVaO15mrpeXYjjmXbN/mTl3IFfm4vrgwtStVw11oHG
 VQmHJz6qYs7NEDlpHjOWpypxZsLTs5+5ljJ77ABBIYmSwm5cYJX0w1Rlg6oj3WDXXCXU
 inzChi3qClPupWqC/SWQRsweLaaAb4Yfi4/pBVhptKaHqmu842+OvF0+OqS1bM3oxmxy
 L0UQ==
X-Gm-Message-State: AIkVDXKvKRIUI8+dSmFOmsobK7dXtHoB6GsnLeRoqMUAvW8zOFKovTdzNUoRX1gUMTRPEXED
X-Received: by 10.28.170.211 with SMTP id t202mr2883976wme.71.1484907668578; 
 Fri, 20 Jan 2017 02:21:08 -0800 (PST)
Received: from localhost.localdomain ([160.168.254.151])
 by smtp.gmail.com with ESMTPSA id
 c187sm5080168wmd.13.2017.01.20.02.21.06
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Fri, 20 Jan 2017 02:21:07 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm: module: handle negative R_ARM_PREL31 addends correctly
Date: Fri, 20 Jan 2017 10:21:03 +0000
Message-Id: <1484907663-32322-1-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.7.4
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170120_022230_642608_7DC542B7 
X-CRM114-Status: GOOD (  11.68  )
X-Spam-Score: -1.5 (-)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
 Content analysis details:   (-1.5 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.5 RCVD_IN_SORBS_SPAM     RBL: SORBS: sender is a spam source
 [74.125.82.45 listed in dnsbl.sorbs.net]
 -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
 no trust [74.125.82.45 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [74.125.82.45 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: catalin.marinas@arm.com, linux@armlinux.org.uk,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org

According to the spec 'ELF for the ARM Architecture' (IHI 0044E),
addends for R_ARM_PREL31 relocations are 31-bit signed quantities,
so we need to sign extend the value to 32 bits before it can be used
as an offset in the calculation of the relocated value.

We have not been bitten by this because these relocations are usually
emitted against the start of a section, which means the addends never
assume negative values in practice. But it is a bug nonetheless, so fix
it.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
This is something I spotted while looking into adding support for
R_ARM_REL32 relocations. Feel free to ignore if it is guaranteed in some
way that these relocations can never be emitted with negative addends.

 arch/arm/kernel/module.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

-- 
2.7.4


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
index 29629fe02ce5..20d8374711e2 100644
--- a/arch/arm/kernel/module.c
+++ b/arch/arm/kernel/module.c
@@ -155,7 +155,15 @@ apply_relocate(Elf32_Shdr *sechdrs, const char *strtab, unsigned int symindex,
 		       break;
 
 		case R_ARM_PREL31:
-			offset = *(u32 *)loc + sym->st_value - loc;
+			offset = (*(s32 *)loc << 1) >> 1; /* sign extend */
+			offset += sym->st_value - loc;
+			if (offset >= 0x40000000 || offset < -0x40000000) {
+				pr_err("%s: section %u reloc %u sym '%s': relocation %u out of range (%#lx -> %#x)\n",
+				       module->name, relindex, i, symname,
+				       ELF32_R_TYPE(rel->r_info), loc,
+				       sym->st_value);
+				return -ENOEXEC;
+			}
 			*(u32 *)loc = offset & 0x7fffffff;
 			break;