releases/5.11.21/soc-qcom-mdt_loader-validate-that-p_filesz-p_memsz.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 250e0f07ef6c0f140389d7a15858988298af1609 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Thu, 7 Jan 2021 15:31:19 -0800
 Subject: soc: qcom: mdt_loader: Validate that p_filesz < p_memsz

 From: Bjorn Andersson <bjorn.andersson@linaro.org>

 [ Upstream commit 84168d1b54e76a1bcb5192991adde5176abe02e3 ]

 The code validates that segments of p_memsz bytes of a segment will fit
 in the provided memory region, but does not validate that p_filesz bytes
 will, which means that an incorrectly crafted ELF header might write
 beyond the provided memory region.

 Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
 Reviewed-by: Sibi Sankar <sibis@codeaurora.org>
 Link: https://lore.kernel.org/r/20210107233119.717173-1-bjorn.andersson@linaro.org
 Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/soc/qcom/mdt_loader.c | 8 ++++++++
  1 file changed, 8 insertions(+)

 diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
 index 24cd193dec55..2ddaee5ef9cc 100644
 --- a/drivers/soc/qcom/mdt_loader.c
 +++ b/drivers/soc/qcom/mdt_loader.c
 @@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
  			break;
  		}

 +		if (phdr->p_filesz > phdr->p_memsz) {
 +			dev_err(dev,
 +				"refusing to load segment %d with p_filesz > p_memsz\n",
 +				i);
 +			ret = -EINVAL;
 +			break;
 +		}
 +
  		ptr = mem_region + offset;

  		if (phdr->p_filesz && phdr->p_offset < fw->size) {
 --
 2.30.2
	From 250e0f07ef6c0f140389d7a15858988298af1609 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Thu, 7 Jan 2021 15:31:19 -0800
	Subject: soc: qcom: mdt_loader: Validate that p_filesz < p_memsz

	From: Bjorn Andersson <bjorn.andersson@linaro.org>

	[ Upstream commit 84168d1b54e76a1bcb5192991adde5176abe02e3 ]

	The code validates that segments of p_memsz bytes of a segment will fit
	in the provided memory region, but does not validate that p_filesz bytes
	will, which means that an incorrectly crafted ELF header might write
	beyond the provided memory region.

	Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
	Reviewed-by: Sibi Sankar <sibis@codeaurora.org>
	Link: https://lore.kernel.org/r/20210107233119.717173-1-bjorn.andersson@linaro.org
	Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/soc/qcom/mdt_loader.c \| 8 ++++++++
	1 file changed, 8 insertions(+)

	diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
	index 24cd193dec55..2ddaee5ef9cc 100644
	--- a/drivers/soc/qcom/mdt_loader.c
	+++ b/drivers/soc/qcom/mdt_loader.c
	@@ -230,6 +230,14 @@ static int __qcom_mdt_load(struct device dev, const struct firmware fw,
	break;
	}

	+ if (phdr->p_filesz > phdr->p_memsz) {
	+ dev_err(dev,
	+ "refusing to load segment %d with p_filesz > p_memsz\n",
	+ i);
	+ ret = -EINVAL;
	+ break;
	+ }
	+
	ptr = mem_region + offset;

	if (phdr->p_filesz && phdr->p_offset < fw->size) {
	--
	2.30.2