[PATCH 5/7] remoteproc: look for truncated firmware images

linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed

From: ohad@wizery.com (Ohad Ben-Cohen)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 5/7] remoteproc: look for truncated firmware images
Date: Wed, 14 Dec 2011 13:48:33 +0200	[thread overview]
Message-ID: <1323863315-8159-6-git-send-email-ohad@wizery.com> (raw)
In-Reply-To: <1323863315-8159-1-git-send-email-ohad@wizery.com>

Make sure firmware isn't truncated before accessing its data.

Reported-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
---
 drivers/remoteproc/remoteproc_core.c |   35 +++++++++++++++++++++++++++++----
 1 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index 080c056..f2354ce 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -191,6 +191,7 @@ static void *rproc_da_to_va(struct rproc *rproc, u64 da, int len)
  * rproc_load_segments() - load firmware segments to memory
  * @rproc: remote processor which will be booted using these fw segments
  * @elf_data: the content of the ELF firmware image
+ * @len: firmware size (in bytes)
  *
  * This function loads the firmware segments to memory, where the remote
  * processor expects them.
@@ -211,7 +212,8 @@ static void *rproc_da_to_va(struct rproc *rproc, u64 da, int len)
  * directly allocate memory for every segment/resource. This is not yet
  * supported, though.
  */
-static int rproc_load_segments(struct rproc *rproc, const u8 *elf_data)
+static int
+rproc_load_segments(struct rproc *rproc, const u8 *elf_data, size_t len)
 {
 	struct device *dev = rproc->dev;
 	struct elf32_hdr *ehdr;
@@ -226,6 +228,7 @@ static int rproc_load_segments(struct rproc *rproc, const u8 *elf_data)
 		u32 da = phdr->p_paddr;
 		u32 memsz = phdr->p_memsz;
 		u32 filesz = phdr->p_filesz;
+		u32 offset = phdr->p_offset;
 		void *ptr;
 
 		if (phdr->p_type != PT_LOAD)
@@ -241,6 +244,13 @@ static int rproc_load_segments(struct rproc *rproc, const u8 *elf_data)
 			break;
 		}
 
+		if (offset + filesz > len) {
+			dev_err(dev, "truncated fw: need 0x%x avail 0x%x\n",
+					offset + filesz, len);
+			ret = -EINVAL;
+			break;
+		}
+
 		/* grab the kernel address for this device address */
 		ptr = rproc_da_to_va(rproc, da, memsz);
 		if (!ptr) {
@@ -712,6 +722,7 @@ rproc_handle_virtio_rsc(struct rproc *rproc, struct fw_resource *rsc, int len)
  * rproc_handle_resources() - find and handle the resource table
  * @rproc: the rproc handle
  * @elf_data: the content of the ELF firmware image
+ * @len: firmware size (in bytes)
  * @handler: function that should be used to handle the resource table
  *
  * This function finds the resource table inside the remote processor's
@@ -725,7 +736,7 @@ rproc_handle_virtio_rsc(struct rproc *rproc, struct fw_resource *rsc, int len)
  * processors that don't need a resource table.
  */
 static int rproc_handle_resources(struct rproc *rproc, const u8 *elf_data,
-					rproc_handle_resources_t handler)
+				size_t len, rproc_handle_resources_t handler)
 
 {
 	struct elf32_hdr *ehdr;
@@ -743,6 +754,13 @@ static int rproc_handle_resources(struct rproc *rproc, const u8 *elf_data,
 			struct fw_resource *table = (struct fw_resource *)
 						(elf_data + shdr->sh_offset);
 
+			if (shdr->sh_offset + shdr->sh_size > len) {
+				dev_err(rproc->dev,
+					"truncated fw: need 0x%x avail 0x%x\n",
+					shdr->sh_offset + shdr->sh_size, len);
+				ret = -EINVAL;
+			}
+
 			ret = handler(rproc, table, shdr->sh_size);
 
 			break;
@@ -833,6 +851,11 @@ static int rproc_fw_sanity_check(struct rproc *rproc, const struct firmware *fw)
 
 	ehdr = (struct elf32_hdr *)fw->data;
 
+	if (fw->size < ehdr->e_shoff + sizeof(struct elf32_shdr)) {
+		dev_err(dev, "Image is too small\n");
+		return -EINVAL;
+	}
+
 	if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG)) {
 		dev_err(dev, "Image is corrupted (bad magic)\n");
 		return -EINVAL;
@@ -887,14 +910,15 @@ static int rproc_fw_boot(struct rproc *rproc, const struct firmware *fw)
 	rproc->bootaddr = ehdr->e_entry;
 
 	/* handle fw resources which are required to boot rproc */
-	ret = rproc_handle_resources(rproc, fw->data, rproc_handle_boot_rsc);
+	ret = rproc_handle_resources(rproc, fw->data, fw->size,
+						rproc_handle_boot_rsc);
 	if (ret) {
 		dev_err(dev, "Failed to process resources: %d\n", ret);
 		goto clean_up;
 	}
 
 	/* load the ELF segments to memory */
-	ret = rproc_load_segments(rproc, fw->data);
+	ret = rproc_load_segments(rproc, fw->data, fw->size);
 	if (ret) {
 		dev_err(dev, "Failed to load program segments: %d\n", ret);
 		goto clean_up;
@@ -937,7 +961,8 @@ static void rproc_fw_config_virtio(const struct firmware *fw, void *context)
 		goto out;
 
 	/* does the fw supports any virtio devices ? */
-	ret = rproc_handle_resources(rproc, fw->data, rproc_handle_virtio_rsc);
+	ret = rproc_handle_resources(rproc, fw->data, fw->size,
+						rproc_handle_virtio_rsc);
 	if (ret) {
 		dev_info(dev, "No fw virtio device was found\n");
 		goto out;
-- 
1.7.5.4

next prev parent reply	other threads:[~2011-12-14 11:48 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-14 11:48 [PATCH 0/7] remoteproc/rpmsg: a few trivial fixes Ohad Ben-Cohen
2011-12-14 11:48 ` [PATCH 1/7] remoteproc: do not require an iommu Ohad Ben-Cohen
2011-12-14 11:48 ` [PATCH 2/7] remoteproc: avoid registering a virtio device if not supported Ohad Ben-Cohen
2011-12-14 11:48 ` [PATCH 3/7] remoteproc: remove unused resource type Ohad Ben-Cohen
2011-12-14 11:48 ` [PATCH 4/7] remoteproc/omap: utilize module_platform_driver Ohad Ben-Cohen
2011-12-14 11:48 ` Ohad Ben-Cohen [this message]
2011-12-14 11:48 ` [PATCH 6/7] remoteproc: add Kconfig menu Ohad Ben-Cohen
2011-12-14 11:48 ` [PATCH 7/7] rpmsg: " Ohad Ben-Cohen
2011-12-21 11:29 ` [PATCH 0/7] remoteproc/rpmsg: a few trivial fixes Ohad Ben-Cohen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:080c056 dfblob:f2354ce )
 OR (
bs:"[PATCH 5/7] remoteproc: look for truncated firmware images" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1323863315-8159-6-git-send-email-ohad@wizery.com \
    --to=ohad@wizery.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).