lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 10 May 2017 17:05:11 -0700
From:   Bjorn Andersson <bjorn.andersson@...aro.org>
To:     Henri Roosen <henri.roosen@...zinger.com>
Cc:     linux-remoteproc@...r.kernel.org, Ohad Ben-Cohen <ohad@...ery.com>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/1] remoteproc: fix elf_loader da_to_va translation and
 writing beyond segment

On Wed 03 May 05:12 PDT 2017, Henri Roosen wrote:

> Consider a system with 2 memory regions:
> 0x1fff8000 - 0x1fffffff: iram

So I presume there's a hole here.

> 0x21000000 - 0x21007fff: dram
> 
> The .elf file for this system contains the following Program Headers:
> Program Headers:
>   Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
>   LOAD           0x000094 0x1fff8000 0x1fff8000 0x00240 0x00240 R   0x4
>   LOAD           0x0002e0 0x1fff8240 0x1fff8240 0x03d1c 0x03d1c RWE 0x10
>   LOAD           0x003ffc 0x21000000 0x1fffbf5c 0x001cc 0x048a0 RW  0x4
> 

Your ELF header states that there is a segment of 0x48a0 bytes starting
at 0x1fffbf5c, but your iram ends after 0x40a3 bytes. I assume your
MemSiz comes from some linker script, which would mean that your
firmware expects to be able to use all 0x48a0 bytes, which should be
invalid.

>  Section to Segment mapping:
>   Segment Sections...
>    00     .interrupts
>    01     .text .ARM .init_array .fini_array
>    02     .data .bss .heap .stack
> 
> The problem is with the 3rd segment: it has 0x1cc bytes of ROM .data
> which need to be placed at PhysAddr 0x1fffbf5c. Using MemSiz as len
> parameter for rproc_da_to_va is incorrect (goes beyond 0x1fffffff). The
> correct len parameter to be used here is FileSiz.
> 

The fact that MemSiz is larger than FileSiz makes sense because you have
.bss, .heap and .stack there - which we conveniently clear for you.

> The actual memcpy of the segment was already correctly using the FileSiz
> for length, however the unnecessary "Zero out remaining memory" would
> write beyond the 0x1fffffff end of the memory region! This patch removes
> the harmful code.
> 

Perhaps I'm missing something, but I think the problem is that your
memory map is broken. We do want to clear out the remaining part of each
segment.



Note though that we don't yet have means to direct your carveout
allocations to the two segments and get the firmware loaded at the
physical addresses specified.

Regards,
Bjorn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ