From patchwork Thu Jan 7 23:31:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 358304 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp54283jai; Thu, 7 Jan 2021 15:31:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJxzL5fxebIExcvehS1zTpnxU5zT4emxfLINNIm2MJk9TxG0tjqRyMmULK7wfoonOcsUziQE X-Received: by 2002:a17:906:578e:: with SMTP id k14mr871734ejq.90.1610062303738; Thu, 07 Jan 2021 15:31:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610062303; cv=none; d=google.com; s=arc-20160816; b=SV+GyDjNs7XEUB/IYBvtjjKqV5UnXi1wc636AMKIsZuGMuFRWq4JFYet9GxOAh9Igg r4N28avopsc8Pe3bK4VrAdI5mqhY7tFh0ccFcnB4k+zTQFmSFIyxEmPAw8AKiBwVcXbo zYFbP/pdAx64Km1jU6ZmlkAPUbqvG7IuonpURaFYOMqm+OrAZl6e/xS/Fht0Ih/DY4LJ IOmwFnhWJULt7JqyAuvQ2Rr7+BS2xY1b8GfqBdHK+BkLts7GPur5rBhJa/jTLbpwKMLk q1YbgqNW3ZH8hbyakKn4dM+atYHhapIqNvrHDyfWJI8DPifDK6Aexb0dC/tv8buUGsib y1LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=KsP/yoJjwDCMt7N2rFKs08bZNh7p5m4IePfBuVMv1Fs=; b=mB7gRE2vuWPU+qMsGfxmU+EuBcWmCDjtBw0s3FeGRAyyjBXCrrWwKmBidHaTyI/cVk KHUj6v/AawqEPljYXy3wL4Nih3a/PXMXsV+6FzxWQ4X6JuzqW7wiiUXGhxqDqLOKKbnC YGvkJ/rqmE4JrJg2bpQzle/eufEGFj8uOwiLQIiaEgerKpPb2Tf3g1/P7YuM5EctCTXD OeLrL4OHVomlxFv4/iKRyoeyDzkk8oieE8Qrn4wi4oKbOa9rRGrWwxaco6HfgROu+VUk gQOk8AjLlQDFpcKCPDG2U6GW9pbTx4nhxVhMdemB5kc4L1QQJhAeteI2QFciDYqiZcv/ YUTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JMHZY2Lm; spf=pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 17si2883984ejt.596.2021.01.07.15.31.43; Thu, 07 Jan 2021 15:31:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JMHZY2Lm; spf=pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727939AbhAGXbi (ORCPT + 15 others); Thu, 7 Jan 2021 18:31:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727669AbhAGXbi (ORCPT ); Thu, 7 Jan 2021 18:31:38 -0500 Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C2EDC0612F4 for ; Thu, 7 Jan 2021 15:30:58 -0800 (PST) Received: by mail-ot1-x32a.google.com with SMTP id d8so8022183otq.6 for ; Thu, 07 Jan 2021 15:30:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KsP/yoJjwDCMt7N2rFKs08bZNh7p5m4IePfBuVMv1Fs=; b=JMHZY2LmE3U+Oohdp9zbT3pJlzo/L+Gjx1fUWP5xcs9Ot+CCkqKZplP26oMXqVqxzx zy4fTwkzEjfVpNHZZ74GnSJfUDBgdz2cvvuQTTW6pm7UPI9bUAyS2bY9BkSkkcXZDAL+ p1tMDufQEy17xMcRWIMGmvFr7ePDIBrWZKpIXXl72tr7xu0fsdL5Ek/DnRKoYf2GhkjC qLmEDKI9rxLz13W0WQiP2XeCtb4rrUyEz08If4T1wCYd7pTLkKFVPQwSj34BSqQ3XJpf r1CPwZMRevWiOKu89FAUnu/tkWazEbmt2hlzLI+ZAjQbgVW5Cf19RMdwNz2LBvi8PssG U5Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KsP/yoJjwDCMt7N2rFKs08bZNh7p5m4IePfBuVMv1Fs=; b=Z8Q4Xh7G9Wqpr09yys6HDj179kkAYODopTBShGbhFVgQKbrtqx0wQqJSeAcG3mrQmk 5N0StQ9I5ryFhq1PWqq4HrvazEZJQUQzuVGcT0frZLHwql5frnXpALItSHE7QuEEJ7eY GXfZdpMipuJYY6+6MhPClejhj4wLeH3Wvpt2Mwi7wfhfom8Z1jE2z3zBe++JdwFhmMCV BWYBPyvB45e9IhnL2mh3XfNVUfrPw9V7Nyzm1yErcC5j2QRhPJ1ggYt4+3a77NLheZvS E5VchXJtZlur/Mt8o0rkfg92JV77/kPvOXs61F7koiedYIkxkDcMbcaQK4jAfXD4tgOE x5Cw== X-Gm-Message-State: AOAM533ZudftAE8QpKrFoh9PvaCOhQ6F1dn+90Nr9TwaeIFdXXImd+Gf rkP9Q18UHXS7WTo22g/GVJdJew== X-Received: by 2002:a9d:208a:: with SMTP id x10mr656889ota.260.1610062257343; Thu, 07 Jan 2021 15:30:57 -0800 (PST) Received: from localhost.localdomain (104-57-184-186.lightspeed.austtx.sbcglobal.net. [104.57.184.186]) by smtp.gmail.com with ESMTPSA id t24sm1425945oou.4.2021.01.07.15.30.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Jan 2021 15:30:56 -0800 (PST) From: Bjorn Andersson To: Andy Gross , Bjorn Andersson , Siddharth Gupta Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] soc: qcom: mdt_loader: Validate that p_filesz < p_memsz Date: Thu, 7 Jan 2021 15:31:19 -0800 Message-Id: <20210107233119.717173-1-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org The code validates that segments of p_memsz bytes of a segment will fit in the provided memory region, but does not validate that p_filesz bytes will, which means that an incorrectly crafted ELF header might write beyond the provided memory region. Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Signed-off-by: Bjorn Andersson --- drivers/soc/qcom/mdt_loader.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- 2.29.2 Reviewed-by: Sibi Sankar diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index e01d18e9ad2b..5180b5996830 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw, break; } + if (phdr->p_filesz > phdr->p_memsz) { + dev_err(dev, + "refusing to load segment %d with p_filesz > p_memsz\n", + i); + ret = -EINVAL; + break; + } + ptr = mem_region + offset; if (phdr->p_filesz && phdr->p_offset < fw->size) {