From patchwork Fri Jan 20 10:21:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 92048 Delivered-To: patch@linaro.org Received: by 10.182.3.34 with SMTP id 2csp685553obz; Fri, 20 Jan 2017 02:22:35 -0800 (PST) X-Received: by 10.200.48.110 with SMTP id g43mr11032832qte.277.1484907755650; Fri, 20 Jan 2017 02:22:35 -0800 (PST) Return-Path: Received: from bombadil.infradead.org (bombadil.infradead.org. [65.50.211.133]) by mx.google.com with ESMTPS id s49si4579315qtb.234.2017.01.20.02.22.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Jan 2017 02:22:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 65.50.211.133 as permitted sender) client-ip=65.50.211.133; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 65.50.211.133 as permitted sender) smtp.mailfrom=linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cUWL3-00021w-7P; Fri, 20 Jan 2017 10:22:33 +0000 Received: from mail-wm0-f45.google.com ([74.125.82.45]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cUWL0-0001ui-ED for linux-arm-kernel@lists.infradead.org; Fri, 20 Jan 2017 10:22:32 +0000 Received: by mail-wm0-f45.google.com with SMTP id c206so36400435wme.0 for ; Fri, 20 Jan 2017 02:22:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=TJfjKfIHVjTTJFKTyWdOmexansJPKd/N6wqsyD97Wi0=; b=NI2wftqSBiCDDdvHzxveCaav0HH26Z6Bi44oQo5siHbvh3DGLAEUuxtiBuCGv4RQw5 03GRGu6c8Q0OfqUXK2X6Fu/XG7EesiFEkoUXeaqDblWorW48zga935NSBnyhZZ+Czoir CtKzfqzo6EmKa80jykxdOu1hQU9Kz8lQsNO5g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=TJfjKfIHVjTTJFKTyWdOmexansJPKd/N6wqsyD97Wi0=; b=dzjcg7+B7wGq+iQsf9s3AroSSjiUg/V1Lcgs7pS5oDjwwdlJkxqxcY3ZQ/w6wCEHDP RiZbPrub3UJqjJURhHXF99I5am978FH/9fMLNlRRobJ7ktsehK+C4i98Ehl7/2HE0gOn kE5JW97RHtIhEBYv3jHtaw5HxXCVaO15mrpeXYjjmXbN/mTl3IFfm4vrgwtStVw11oHG VQmHJz6qYs7NEDlpHjOWpypxZsLTs5+5ljJ77ABBIYmSwm5cYJX0w1Rlg6oj3WDXXCXU inzChi3qClPupWqC/SWQRsweLaaAb4Yfi4/pBVhptKaHqmu842+OvF0+OqS1bM3oxmxy L0UQ== X-Gm-Message-State: AIkVDXKvKRIUI8+dSmFOmsobK7dXtHoB6GsnLeRoqMUAvW8zOFKovTdzNUoRX1gUMTRPEXED X-Received: by 10.28.170.211 with SMTP id t202mr2883976wme.71.1484907668578; Fri, 20 Jan 2017 02:21:08 -0800 (PST) Received: from localhost.localdomain ([160.168.254.151]) by smtp.gmail.com with ESMTPSA id c187sm5080168wmd.13.2017.01.20.02.21.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 20 Jan 2017 02:21:07 -0800 (PST) From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Subject: [PATCH] arm: module: handle negative R_ARM_PREL31 addends correctly Date: Fri, 20 Jan 2017 10:21:03 +0000 Message-Id: <1484907663-32322-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170120_022230_642608_7DC542B7 X-CRM114-Status: GOOD ( 11.68 ) X-Spam-Score: -1.5 (-) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-1.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [74.125.82.45 listed in dnsbl.sorbs.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.45 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [74.125.82.45 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: catalin.marinas@arm.com, linux@armlinux.org.uk, Ard Biesheuvel MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org According to the spec 'ELF for the ARM Architecture' (IHI 0044E), addends for R_ARM_PREL31 relocations are 31-bit signed quantities, so we need to sign extend the value to 32 bits before it can be used as an offset in the calculation of the relocated value. We have not been bitten by this because these relocations are usually emitted against the start of a section, which means the addends never assume negative values in practice. But it is a bug nonetheless, so fix it. Signed-off-by: Ard Biesheuvel --- This is something I spotted while looking into adding support for R_ARM_REL32 relocations. Feel free to ignore if it is guaranteed in some way that these relocations can never be emitted with negative addends. arch/arm/kernel/module.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.7.4 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c index 29629fe02ce5..20d8374711e2 100644 --- a/arch/arm/kernel/module.c +++ b/arch/arm/kernel/module.c @@ -155,7 +155,15 @@ apply_relocate(Elf32_Shdr *sechdrs, const char *strtab, unsigned int symindex, break; case R_ARM_PREL31: - offset = *(u32 *)loc + sym->st_value - loc; + offset = (*(s32 *)loc << 1) >> 1; /* sign extend */ + offset += sym->st_value - loc; + if (offset >= 0x40000000 || offset < -0x40000000) { + pr_err("%s: section %u reloc %u sym '%s': relocation %u out of range (%#lx -> %#x)\n", + module->name, relindex, i, symname, + ELF32_R_TYPE(rel->r_info), loc, + sym->st_value); + return -ENOEXEC; + } *(u32 *)loc = offset & 0x7fffffff; break;