Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp339563pxf;
        Thu, 8 Apr 2021 04:21:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwAhsx99FXCEzLlX25QInU9Tt+5B4s3vku1siTnfpG/qacupMqK+8oQEHl8uFJT7iC4ZSpm
X-Received: by 2002:a17:906:d977:: with SMTP id rp23mr9666320ejb.392.1617880905775;
        Thu, 08 Apr 2021 04:21:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617880905; cv=none;
        d=google.com; s=arc-20160816;
        b=CM5C5emHx98of+y0qhnFTnT/c9OdzVsPhxstIypaOEAcKjzoPurQ1bjYHmOQZo+Ndl
         9JbKhSSSL8L9GoAdukbmdy7IAj50J+kdsUOOm73E30DL/CsHRoLa2kd3LHi/QvKscv3B
         hy8M+hFvNsXF6tci21LGRKdnaDpAoUYsQmj3+3i8cisyAhTWRHB3kcGwt9QiD+xS9Br4
         GOFHrb1SZCsTiQISmNw21R7rX9syPAz5XAqCRhfcJrBKHZChWC6U9KPa3tokpyixifkt
         bx/e7/qkfhHwBwni1aOpbOTLLrxzv0a0cNTqh3A0vtPTvQ7SisI7bQ5oCekK90xKlmpF
         pduw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dmarc-filter:sender:dkim-signature;
        bh=m1LjlvVS7om6oVAfslDP7w4EJB0m4SNt8VWCfaVYtn0=;
        b=H5xBSWGhQ8lhGAkOSfAFMhCmsthleyYK0UpDtbViJiLaYFfa9tFSczLCO2CFrOhdyI
         yBpUZd7juj55lCiyKcPsJBQ/b02mtongu4X7US8FyhJTBTd/MtncBIIpL3Ng6pc+Mu+U
         cAqgRfYf5ZQKt/s3UTUcN45NUR8LCbYrr/Mqk/1E/ukiYrBYfIQJixJM8xh6R4QdGTb6
         dPKgWw2ngLeFEpHGj0DE8YeS4QESWKzn2K9/D1v+P6aFQfNXPtpJkTU9ni0uqZ7+r7Ey
         nKe8W3dXFUzrQiIUIKg3wFd6Gac3zSZj+o/ML3FvtJkscO0gfu6iEHQM927nHLS1f8Sq
         of6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=Nln2+A4S;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d18si14879074edu.290.2021.04.08.04.21.22;
        Thu, 08 Apr 2021 04:21:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=Nln2+A4S;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231145AbhDHLS0 (ORCPT <rfc822;linux.sihyeon@gmail.com>
        + 99 others); Thu, 8 Apr 2021 07:18:26 -0400
Received: from m43-7.mailgun.net ([69.72.43.7]:20763 "EHLO m43-7.mailgun.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229837AbhDHLSZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Apr 2021 07:18:25 -0400
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1617880695; h=Content-Transfer-Encoding: Content-Type:
 In-Reply-To: MIME-Version: Date: Message-ID: From: References: Cc: To:
 Subject: Sender; bh=m1LjlvVS7om6oVAfslDP7w4EJB0m4SNt8VWCfaVYtn0=; b=Nln2+A4SViK/mN3qMzaomi5X0wG0SO10FWWjCBjmC/xWKtVngAd/yKJ8Xz5QVsfy4V28cr6G
 GpsSx498GoBdAS528LGD0MzpKhVEReuf9NL0MPPNB42arPuZbGu1pt3v3Z6JEikqZI+QVVvr
 hAQTAXwGCIGtKxIhaaxTWTd4zjQ=
X-Mailgun-Sending-Ip: 69.72.43.7
X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd
Received: from smtp.codeaurora.org
 (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
 smtp-out-n03.prod.us-west-2.postgun.com with SMTP id
 606ee6752cc44d3aea65bce9 (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Thu, 08 Apr 2021 11:18:13
 GMT
Sender: sibis=codeaurora.org@mg.codeaurora.org
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id D43A7C433CA; Thu,  8 Apr 2021 11:18:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        NICE_REPLY_A,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0
Received: from [10.79.43.230] (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: sibis)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id 046FBC433CA;
        Thu,  8 Apr 2021 11:18:09 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 046FBC433CA
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=sibis@codeaurora.org
Subject: Re: [PATCH] soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
To:     Bjorn Andersson <bjorn.andersson@linaro.org>,
        Andy Gross <agross@kernel.org>,
        Siddharth Gupta <sidgup@codeaurora.org>
Cc:     linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20210107233119.717173-1-bjorn.andersson@linaro.org>
From:   Sibi Sankar <sibis@codeaurora.org>
Message-ID: <56542220-494d-d41e-2378-f20f07caba5e@codeaurora.org>
Date:   Thu, 8 Apr 2021 16:48:05 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20210107233119.717173-1-bjorn.andersson@linaro.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hey Bjorn,
Thanks for the patch!

On 1/8/21 5:01 AM, Bjorn Andersson wrote:
> The code validates that segments of p_memsz bytes of a segment will fit
> in the provided memory region, but does not validate that p_filesz bytes
> will, which means that an incorrectly crafted ELF header might write
> beyond the provided memory region.
> 
> Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
> ---
>   drivers/soc/qcom/mdt_loader.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
> index e01d18e9ad2b..5180b5996830 100644
> --- a/drivers/soc/qcom/mdt_loader.c
> +++ b/drivers/soc/qcom/mdt_loader.c
> @@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
>   			break;
>   		}
>   
> +		if (phdr->p_filesz > phdr->p_memsz) {
> +			dev_err(dev,
> +				"refusing to load segment %d with p_filesz > p_memsz\n",
> +				i);
> +			ret = -EINVAL;
> +			break;
> +		}
> +

Reviewed-by: Sibi Sankar <sibis@codeaurora.org>

>   		ptr = mem_region + offset;
>   
>   		if (phdr->p_filesz && phdr->p_offset < fw->size) {
> 

-- 
Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc, is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project