* [PATCH v1] soc: qcom: mdt_loader: Add Upperbounds check for program header access
@ 2024-02-02 6:39 Auditya Bhattaram
2024-02-02 8:04 ` Mukesh Ojha
0 siblings, 1 reply; 3+ messages in thread
From: Auditya Bhattaram @ 2024-02-02 6:39 UTC (permalink / raw)
To: andersson, konrad.dybcio; +Cc: linux-arm-msm, linux-kernel, Auditya Bhattaram
hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH
is found. Add an upperbound check to phdrs to access within elf size.
Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com>
---
Added error prints for Invalid access.
Link for previous discussion https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t
---
drivers/soc/qcom/mdt_loader.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index 6f177e46fa0f..61e2377cc5c3 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len,
if (phdrs[0].p_type == PT_LOAD)
return ERR_PTR(-EINVAL);
+ if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) {
+ dev_err(dev, "Invalid phdrs access: %s\n", fw_name);
+ return ERR_PTR(-EINVAL);
+ }
+
for (i = 1; i < ehdr->e_phnum; i++) {
if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) {
hash_segment = i;
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v1] soc: qcom: mdt_loader: Add Upperbounds check for program header access
2024-02-02 6:39 [PATCH v1] soc: qcom: mdt_loader: Add Upperbounds check for program header access Auditya Bhattaram
@ 2024-02-02 8:04 ` Mukesh Ojha
2024-02-08 11:44 ` Auditya Bhattaram
0 siblings, 1 reply; 3+ messages in thread
From: Mukesh Ojha @ 2024-02-02 8:04 UTC (permalink / raw)
To: Auditya Bhattaram, andersson, konrad.dybcio; +Cc: linux-arm-msm, linux-kernel
This should be v2., first time patches is always counted as v1
On 2/2/2024 12:09 PM, Auditya Bhattaram wrote:
> hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH
> is found. Add an upperbound check to phdrs to access within elf size.
>
> Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> > ---
> Added error prints for Invalid access.
> Link for previous discussion https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t
Would be better if you take reference from other patches,
Like above can be done as,
Changes in v2:
- ...
- ,,,
> ---
> drivers/soc/qcom/mdt_loader.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
> index 6f177e46fa0f..61e2377cc5c3 100644
> --- a/drivers/soc/qcom/mdt_loader.c
> +++ b/drivers/soc/qcom/mdt_loader.c
> @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len,
> if (phdrs[0].p_type == PT_LOAD)
> return ERR_PTR(-EINVAL);
>
> + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) {
> + dev_err(dev, "Invalid phdrs access: %s\n", fw_name);
> + return ERR_PTR(-EINVAL);
> + }
> +
Should this not be marked for stable kernel ? as without this it could
be accessing beyond fw_size for uncertain scenario.
-Mukesh
> for (i = 1; i < ehdr->e_phnum; i++) {
> if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) {
> hash_segment = i;
> --
> 2.17.1
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v1] soc: qcom: mdt_loader: Add Upperbounds check for program header access
2024-02-02 8:04 ` Mukesh Ojha
@ 2024-02-08 11:44 ` Auditya Bhattaram
0 siblings, 0 replies; 3+ messages in thread
From: Auditya Bhattaram @ 2024-02-08 11:44 UTC (permalink / raw)
To: Mukesh Ojha, andersson, konrad.dybcio; +Cc: linux-arm-msm, linux-kernel
On 2/2/2024 1:34 PM, Mukesh Ojha wrote:
>
> This should be v2., first time patches is always counted as v1
>
> On 2/2/2024 12:09 PM, Auditya Bhattaram wrote:
>> hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH
>> is found. Add an upperbound check to phdrs to access within elf size.
>>
>> Signed-off-by: Auditya Bhattaram <quic_audityab@quicinc.com> > ---
>> Added error prints for Invalid access.
>> Link for previous discussion
>> https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t
>
> Would be better if you take reference from other patches,
>
> Like above can be done as,
>
> Changes in v2:
> - ...
> - ,,,
>> ---
>> drivers/soc/qcom/mdt_loader.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/soc/qcom/mdt_loader.c
>> b/drivers/soc/qcom/mdt_loader.c
>> index 6f177e46fa0f..61e2377cc5c3 100644
>> --- a/drivers/soc/qcom/mdt_loader.c
>> +++ b/drivers/soc/qcom/mdt_loader.c
>> @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct
>> firmware *fw, size_t *data_len,
>> if (phdrs[0].p_type == PT_LOAD)
>> return ERR_PTR(-EINVAL);
>>
>> + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) {
>> + dev_err(dev, "Invalid phdrs access: %s\n", fw_name);
>> + return ERR_PTR(-EINVAL);
>> + }
>> +
>
> Should this not be marked for stable kernel ? as without this it could
> be accessing beyond fw_size for uncertain scenario.
>
> -Mukesh
Yes This should be marked for stable.
>
>> for (i = 1; i < ehdr->e_phnum; i++) {
>> if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) ==
>> QCOM_MDT_TYPE_HASH) {
>> hash_segment = i;
>> --
>> 2.17.1
>>
>>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-02-08 11:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-02 6:39 [PATCH v1] soc: qcom: mdt_loader: Add Upperbounds check for program header access Auditya Bhattaram
2024-02-02 8:04 ` Mukesh Ojha
2024-02-08 11:44 ` Auditya Bhattaram
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox