Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp849119pxb; Wed, 13 Jan 2021 18:15:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJyNjzNWTbvC9J15cHAtMECH5ldPswCMWUqki83wcHKnfOo3foWEBIIw/tJ9i2us2OYBnjXa X-Received: by 2002:a17:906:5043:: with SMTP id e3mr3655946ejk.260.1610590500436; Wed, 13 Jan 2021 18:15:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610590500; cv=none; d=google.com; s=arc-20160816; b=xpj44RAySDE5v6w3pPjRRuQgRnf++PnkqmBp1EQnkpSFYCpE3uqtDpDZosIPpNQmRM GUjj7H3rtE/MsmeU2QgmChrPDbtM1pJf3lh5d4dHGeD3dcyYFYJ6YVPEem7e6jWl9Hn4 m+kdWep4WDkLIQyocWpINJwea+trMr3nPN+Xz4WOBhYXtS/VO1OI5367g7//C0sJxyEH xlAml+zhCnIkpX5ks2bUpZuj1YyF9q/dryHXuD5GYr1uhGO1DEYmUuDsd6JHatNlRmBT xC4DhRhL6S6ZcBLrkKgE11DN73STHAqgxoOMWBHOeNhl5e9p1RBXsaptiFG38tlgDPS+ CYig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=wOwkhQAgNtweZgYmyrlXoMgH8ym5z5w1V+rJvmQv+fQ=; b=nj5N7BN+VpTpdFpi/eU6wVIHo0+F8NXUgHQ7AT9nTuFHMSrFEOPTv4jtG+ire2b/Ly /SvN3o/rr29LeFq/rOEukUcKLkYPefVUIWkssuY8xtW/xn+/a1q7MBZa/HSABOzDTLsP 5SWaKXxdC0QOAuBVDdupM5WMv2xBIwtSFYMqIgHnflILAcLVhXQW8w9n7FSx7frBWv83 NqmurVZ/PZwzKv4+gYQGXRO6gWFbU1a2myWtPG9aRoUSVMQIK+PhWwRmyfesUSJQYUs+ SH0GVLBItDR9Uzn/VrZKc2CfGFOjEPTvfTAv5uPGP47zhG+B5iCn32UJgsezx5WsDKd5 bSdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=kJwNWHVP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o9si765618ejr.672.2021.01.13.18.14.37; Wed, 13 Jan 2021 18:15:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=kJwNWHVP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729457AbhANCM1 (ORCPT + 99 others); Wed, 13 Jan 2021 21:12:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729242AbhAMWEn (ORCPT ); Wed, 13 Jan 2021 17:04:43 -0500 Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD6D7C061795 for ; Wed, 13 Jan 2021 14:04:02 -0800 (PST) Received: by mail-oi1-x22a.google.com with SMTP id s2so3828421oij.2 for ; Wed, 13 Jan 2021 14:04:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=wOwkhQAgNtweZgYmyrlXoMgH8ym5z5w1V+rJvmQv+fQ=; b=kJwNWHVPnLhMUJeCvPu8sI3PIqH4iL2mp7HxaA6Ti7QwQL24qrg8smwdLQ0gVTHxto nR4124VVq//u+nE/WpRYRhOqDNinS6G6xSUciBqnNP8RVffiHNrzzMxOw8Vj1wN4dWo3 /vTce6X+VMO+EKoGrxS1d6v6863RBoqhs+B5gwCon1hItNM5JgBJ9taXAsP3ms5gFZZu YTWZk8mzx7fbr7zGszoch2h5R1MslFjc7BFrGhW9JUeE9yxIeMgvhdvw/JL3A/JefLLw 44+KvlvQeHV2Bw3bwBRdUkGHHbAIXCE0sN2NQMcAng19IYmiMuhYTHOwk7a+ORzYcOO6 +rqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=wOwkhQAgNtweZgYmyrlXoMgH8ym5z5w1V+rJvmQv+fQ=; b=a2leWNLropOO4wn1HEuqzxfpSxJyifM5mK47q8CLkgdUtW39Yfbhp3tsWDX+1YQ41l TYDB4HGtB3Zr968DTyG3+rx/QDj6gV/tYQJlIqC617yj8sKYZRDNY37cgrRRnmFSlmGY lSZ9XSwAq2n60lcM7P0lz3K/FAE/ADlaGP3MaPP5aDOsy04eXmlKU8fDqiFzigl961DC F3OZo2/pGsdUgjI+VBUwzPCvt7I2/wtmDe7HlC+he2EJnYPTm0bUHx45+eypMSkDyh56 cY8BuNz6oeFiQbNpLisNc4NyZFYhQLXTlJg3cj+njiIyhu56kwhV+9bYRZZD/8fG6Bel ktdg== X-Gm-Message-State: AOAM533FBtG6aM6h5yXPoe/IsQ24LO4w+AdXIKTSTOMz81f9IvKm8ui1 YTce0KcwES9txu6mynQ+qby3Pw== X-Received: by 2002:aca:4257:: with SMTP id p84mr844472oia.176.1610575442148; Wed, 13 Jan 2021 14:04:02 -0800 (PST) Received: from builder.lan (104-57-184-186.lightspeed.austtx.sbcglobal.net. [104.57.184.186]) by smtp.gmail.com with ESMTPSA id g92sm649467otb.66.2021.01.13.14.04.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jan 2021 14:04:01 -0800 (PST) Date: Wed, 13 Jan 2021 16:03:59 -0600 From: Bjorn Andersson To: Mathieu Poirier Cc: Andy Gross , Ohad Ben-Cohen , Sibi Sankar , linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] remoteproc: qcom_q6v5_mss: Validate p_filesz in ELF loader Message-ID: References: <20210107235053.745888-1-bjorn.andersson@linaro.org> <20210113212257.GB229796@xps15> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210113212257.GB229796@xps15> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed 13 Jan 15:22 CST 2021, Mathieu Poirier wrote: > Hi Bjorn, > > On Thu, Jan 07, 2021 at 03:50:53PM -0800, Bjorn Andersson wrote: > > Analog to the issue in the common mdt_loader code the MSS ELF loader > > does not validate that p_filesz bytes will fit in the memory region and > > that the loaded segments are not truncated. Fix this in the same way > > as proposed for the mdt_loader. > > > > Fixes: 135b9e8d1cd8 ("remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load") > > Signed-off-by: Bjorn Andersson > > --- > > drivers/remoteproc/qcom_q6v5_mss.c | 17 +++++++++++++++++ > > 1 file changed, 17 insertions(+) > > > > diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c > > index 66106ba25ba3..2b59e0cbdce1 100644 > > --- a/drivers/remoteproc/qcom_q6v5_mss.c > > +++ b/drivers/remoteproc/qcom_q6v5_mss.c > > @@ -1210,6 +1210,14 @@ static int q6v5_mpss_load(struct q6v5 *qproc) > > goto release_firmware; > > } > > > > + if (phdr->p_filesz > phdr->p_memsz) { > > + dev_err(qproc->dev, > > + "refusing to load segment %d with p_filesz > p_memsz\n", > > + i); > > + ret = -EINVAL; > > + break; > > Based on the error handling for the above and below conditions, I would have > expected a "goto release_firmware" rather than a "break". > You're certainly right! Yet another reason for the duplication between this function, the mdt_loader and the remoteproc_elf_loader is a bad idea - still not sure how to refactor any one of them to fit the three. Thank you, Bjorn > > + } > > + > > ptr = memremap(qproc->mpss_phys + offset, phdr->p_memsz, MEMREMAP_WC); > > if (!ptr) { > > dev_err(qproc->dev, > > @@ -1241,6 +1249,15 @@ static int q6v5_mpss_load(struct q6v5 *qproc) > > goto release_firmware; > > } > > > > + if (seg_fw->size != phdr->p_filesz) { > > + dev_err(qproc->dev, > > + "failed to load segment %d from truncated file %s\n", > > + i, fw_name); > > + ret = -EINVAL; > > + memunmap(ptr); > > + break; > > Same here. > > > + } > > + > > release_firmware(seg_fw); > > } > > Thanks, > Mathieu > > > > > -- > > 2.29.2 > >