| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <48119A23.1030604@tiscali.nl>
Date: Fri, 25 Apr 2008 10:45:23 +0200
From: Roel Kluin <12o3l@...cali.nl>
To: Hirokazu Takata <takata@...ux-m32r.org>
CC: linux-m32r@...linux-m32r.org, lkml <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] m32r: test before subtraction on unsigned relocation range
Hirokazu Takata wrote:
> From: Roel Kluin <12o3l@...cali.nl>
> Subject: [PATCH] m32r: test before subtraction on unsigned relocation range
> Date: Wed, 23 Apr 2008 18:34:16 +0200
>> case R_M32R_26_PCREL_RELA:
>> - relocation = (relocation - (Elf32_Addr) location);
>> - if (relocation < -0x2000000 || 0x1fffffc < relocation)
>> + if (relocation + 0x20000 < (Elf32_Addr) location ||
>> + relocation >= 0x1fffc + (Elf32_Addr) location)
>
> A slight fix is required.
>
> The above range check is incorrect, because the R_M32R_26_PCREL_RELA is
> 26-bit relocation.
>
> -- Takata
>
Thanks for spotting this!
---
Relocation is unsigned, test before subtraction
Signed-off-by: Roel Kluin <12o3l@...cali.nl>
---
diff --git a/arch/m32r/kernel/module.c b/arch/m32r/kernel/module.c
index 8d42057..947def6 100644
--- a/arch/m32r/kernel/module.c
+++ b/arch/m32r/kernel/module.c
@@ -171,13 +171,14 @@ int apply_relocate_add(Elf32_Shdr *sechdrs,
COPY_UNALIGNED_WORD (value, *location, align);
break;
case R_M32R_18_PCREL_RELA:
- relocation = (relocation - (Elf32_Addr) location);
- if (relocation < -0x20000 || 0x1fffc < relocation)
+ if (relocation + 0x20000 < (Elf32_Addr) location ||
+ relocation >= 0x1fffc + (Elf32_Addr) location)
{
printk(KERN_ERR "module %s: relocation overflow: %u\n",
- me->name, relocation);
+ me->name, relocation - (Elf32_Addr) location));
return -ENOEXEC;
}
+ relocation = (relocation - (Elf32_Addr) location);
COPY_UNALIGNED_WORD (*location, value, align);
if (value & 0xffff)
{
@@ -203,13 +204,14 @@ int apply_relocate_add(Elf32_Shdr *sechdrs,
COPY_UNALIGNED_HWORD (hvalue, *hlocation, align);
break;
case R_M32R_26_PCREL_RELA:
- relocation = (relocation - (Elf32_Addr) location);
- if (relocation < -0x2000000 || 0x1fffffc < relocation)
+ if (relocation + 0x2000000 < (Elf32_Addr) location ||
+ relocation >= 0x1fffffc + (Elf32_Addr) location)
{
printk(KERN_ERR "module %s: relocation overflow: %u\n",
- me->name, relocation);
+ me->name, relocation - (Elf32_Addr) location));
return -ENOEXEC;
}
+ relocation = (relocation - (Elf32_Addr) location);
COPY_UNALIGNED_WORD (*location, value, align);
if (value & 0xffffff)
{
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists