Received: by 2002:a05:7412:3b8b:b0:fc:a2b0:25d7 with SMTP id nd11csp311238rdb; Thu, 8 Feb 2024 06:45:23 -0800 (PST) X-Google-Smtp-Source: AGHT+IH0TVaADcpJAhk6PSMuWv+6kqQR14SKipBePRzc0kXMgVIrlL2/OIarpSk3a/CXhTthk8m5 X-Received: by 2002:a17:90b:610:b0:296:a76a:9711 with SMTP id gb16-20020a17090b061000b00296a76a9711mr4862710pjb.12.1707403522905; Thu, 08 Feb 2024 06:45:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707403522; cv=pass; d=google.com; s=arc-20160816; b=gAoNkXVdDptP9AQCSZP9nadlO6fXkg/2DMrpi/h9NkyJa4qK/0PYA0izt91HZMYGCW 61bTgzB3RjZaLgmCcaz0WkbbaKuS1yTzjL/gRJw9eRkCQYve2UH6XpL3+g52FEzBv2jI U+HEKB1HiM+p0ruI1ltywrSfoxn8S9yOkzORERhUA8AIrhJg+uZlPBhYIOG0TbKn0Qvv XGwNxbneLb2jEUEdCWMLad3fjGAbINaajZjtiV0GALNJvh+RXMDsyTH1F+HOLSAnCfSs sV7TlEaT6ffleU8hSnZqVoZlFsl/jvUPSjy8krcXTiaLt8CcvxjHkOkp/uMQAm4RBrxa oymw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=pqOQ0pk1w4ZIPMpcW3wgFsiH/QfkfRueUw7WRbNFp/8=; fh=T/Ey0wU2kz54D7Mfef+HVO9OUJf2BzH0Z5CrGlkRUvM=; b=dDGrPKELwiexPY6yYNKlSExybpqO8kU2+qu8m7ANlDehyGmNcH70snhYaAUdh+ooVC LStHK8oqhVsz9yGvD1PlxVxjtCZtyGZ3PWY7IFZiXwU4B2qNw8jwusSAvPVG2/wSYpGy iie7C9iqANjgunm33oiiObwl0UNO2mBgEmWdLpzuMB5ONbFgzvH72RVas56SrfgFAyJy 94QvtrbE3v8hMCkCOmv8PVl8LAiz715wZxQzxBq/67OwhNKmovJsKY6+iG+sW3Ib8IJ5 5ykWXXhDdvL5cTqP88khyQ8Bk58J4tTeKLwbFV9pOcx1AmZAUzMR2iThf2/Fs3M2LIlG WoBA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=hGdscU2q; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of linux-kernel+bounces-58229-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-58229-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com X-Forwarded-Encrypted: i=2; AJvYcCULK7+77B8VHYoVE+xUDIrKMx6+32U51yggaqiXGnotH61UVSVwBDOZ5eHSxoDXyD3v/HXX4G1z/ogmyOm2MnQyZzH5laxu7nah9Dfo+g== Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id nl12-20020a17090b384c00b002966ef81b49si1618309pjb.9.2024.02.08.06.45.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Feb 2024 06:45:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-58229-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=hGdscU2q; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of linux-kernel+bounces-58229-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-58229-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3916EB2838E for ; Thu, 8 Feb 2024 14:30:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4861979921; Thu, 8 Feb 2024 14:29:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="hGdscU2q" Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4EA02EB14; Thu, 8 Feb 2024 14:29:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707402589; cv=none; b=bCrK7KS6qBfsGgdG6SdsrV5IbStYNXGvPp8Uw7AFYVF4zf12ZZxIcZGwYznsMDhRMk0snkf/FLVuq3HkhFptTsqJqwUCCf/53ixf81/wMffVCNK5+QToXEAHbNQVudPq9gxFqLvfvYWOFHEWPLdobxoxtxCoCyTkJix99bzfi7s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707402589; c=relaxed/simple; bh=BjhD4pm+ohrOgBwpHnJBgVialPzyURLLtifb2JZRcvA=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=npotn9jDbR/d0NKX9u0O4rwBu4lVFC2lwENvTkOzCzNCE5c14/t5lslbunDGeEE0VyGWmxvUhDe6T1ggeDjx6bAOk988eLKd7YpYU828pvO/IdXQGv9Dfftkl6IHP/O1mB5vNhN8q8yZsSiWWE1gdS7BawQVWc0x8A4yHGvVfDs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=hGdscU2q; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279864.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 4185Do4c025038; Thu, 8 Feb 2024 14:29:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s= qcppdkim1; bh=pqOQ0pk1w4ZIPMpcW3wgFsiH/QfkfRueUw7WRbNFp/8=; b=hG dscU2qq7Ic0Y0NtjNeSa5QCTQrb6PSzTkJHnr++4IRXVWAGLEwcktx0Bth5QEkG0 XlywtN8eNwDRmcn6V9mv93s2hvmy7JRxdTlsV2hgdtfsZ/nIeT7pHOccUwFjToZ2 AMHMtViXlNVCdQ6BgJB8HPINcmQtNeqJo3FjdR6PvIObwoj6WsiVRqDToxv69jE8 522tK+6nBeMFNAtZjMmrM8KEygaMZksuyIOel49kcdLBceSAvy5fsCrANKelj47r MQjMviUCYMDTYKoHGlmB4+8yzk4EX0dg0t7EoYnLWC+PbfjKuDPuLp7vr/fc49QN FLKDH7BN9CFNobwpbQSg== Received: from nasanppmta01.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3w4h0uj6h7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 08 Feb 2024 14:29:37 +0000 (GMT) Received: from nasanex01c.na.qualcomm.com (nasanex01c.na.qualcomm.com [10.45.79.139]) by NASANPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 418ETbXG005314 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 8 Feb 2024 14:29:37 GMT Received: from [10.216.60.50] (10.80.80.8) by nasanex01c.na.qualcomm.com (10.45.79.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Thu, 8 Feb 2024 06:29:34 -0800 Message-ID: Date: Thu, 8 Feb 2024 19:59:20 +0530 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH v3] soc: qcom: mdt_loader: Add Upperbounds check for program header access Content-Language: en-US To: Auditya Bhattaram , , CC: , , References: <20240208123527.19725-1-quic_audityab@quicinc.com> From: Mukesh Ojha In-Reply-To: <20240208123527.19725-1-quic_audityab@quicinc.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01c.na.qualcomm.com (10.45.79.139) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: KxJzfQkUXXq8Ut2NX3OHB5BcGof4Gp04 X-Proofpoint-GUID: KxJzfQkUXXq8Ut2NX3OHB5BcGof4Gp04 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-08_05,2024-02-08_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 adultscore=0 spamscore=0 mlxscore=0 suspectscore=0 phishscore=0 malwarescore=0 bulkscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1011 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2401310000 definitions=main-2402080077 On 2/8/2024 6:05 PM, Auditya Bhattaram wrote: > hash_index is evaluated by looping phdrs till QCOM_MDT_TYPE_HASH > is found. Add an upperbound check to phdrs to access within elf size. > > Fixes: 64fb5eb87d58 ("soc: qcom: mdt_loader: Allow hash to reside in any segment") > Cc: > Signed-off-by: Auditya Bhattaram > --- > Changes in v3: > - Corrected wrong patch versioning in the Subject. > - Added error prints for Invalid access. > Link to v2 https://lore.kernel.org/linux-arm-msm/9773d189-c896-d5c5-804c-e086c24987b4@quicinc.com/T/#t > Link to v1 https://lore.kernel.org/linux-arm-msm/5d7a3b97-d840-4863-91a0-32c1d8e7532f@linaro.org/T/#t > --- > drivers/soc/qcom/mdt_loader.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c > index 6f177e46fa0f..61e2377cc5c3 100644 > --- a/drivers/soc/qcom/mdt_loader.c > +++ b/drivers/soc/qcom/mdt_loader.c > @@ -145,6 +145,11 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, > if (phdrs[0].p_type == PT_LOAD) > return ERR_PTR(-EINVAL); > > + if (((size_t)(phdrs + ehdr->e_phnum)) > ((size_t)ehdr + fw->size)) { This change is valid only if somehow, ehdr->e_phnum gets corrupted or changed via some engineering means and results in out-of-bounds access. Acked-by: Mukesh Ojha > + dev_err(dev, "Invalid phdrs access: %s\n", fw_name); Should it print ehdr->e_phnum as well to be more valid? -Mukesh > + return ERR_PTR(-EINVAL); > + } > + > for (i = 1; i < ehdr->e_phnum; i++) { > if ((phdrs[i].p_flags & QCOM_MDT_TYPE_MASK) == QCOM_MDT_TYPE_HASH) { > hash_segment = i; > -- > 2.17.1 > >