lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210119155703.GA611676@xps15>
Date:   Tue, 19 Jan 2021 08:57:03 -0700
From:   Mathieu Poirier <mathieu.poirier@...aro.org>
To:     Bjorn Andersson <bjorn.andersson@...aro.org>
Cc:     Andy Gross <agross@...nel.org>, Ohad Ben-Cohen <ohad@...ery.com>,
        Sibi Sankar <sibis@...eaurora.org>,
        linux-arm-msm@...r.kernel.org, linux-remoteproc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] remoteproc: qcom_q6v5_mss: Validate p_filesz in ELF
 loader

On Wed, Jan 13, 2021 at 04:03:59PM -0600, Bjorn Andersson wrote:
> On Wed 13 Jan 15:22 CST 2021, Mathieu Poirier wrote:
> 
> > Hi Bjorn,
> > 
> > On Thu, Jan 07, 2021 at 03:50:53PM -0800, Bjorn Andersson wrote:
> > > Analog to the issue in the common mdt_loader code the MSS ELF loader
> > > does not validate that p_filesz bytes will fit in the memory region and
> > > that the loaded segments are not truncated. Fix this in the same way
> > > as proposed for the mdt_loader.
> > > 
> > > Fixes: 135b9e8d1cd8 ("remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load")
> > > Signed-off-by: Bjorn Andersson <bjorn.andersson@...aro.org>
> > > ---
> > >  drivers/remoteproc/qcom_q6v5_mss.c | 17 +++++++++++++++++
> > >  1 file changed, 17 insertions(+)
> > > 
> > > diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
> > > index 66106ba25ba3..2b59e0cbdce1 100644
> > > --- a/drivers/remoteproc/qcom_q6v5_mss.c
> > > +++ b/drivers/remoteproc/qcom_q6v5_mss.c
> > > @@ -1210,6 +1210,14 @@ static int q6v5_mpss_load(struct q6v5 *qproc)
> > >  			goto release_firmware;
> > >  		}
> > >  
> > > +		if (phdr->p_filesz > phdr->p_memsz) {
> > > +			dev_err(qproc->dev,
> > > +				"refusing to load segment %d with p_filesz > p_memsz\n",
> > > +				i);
> > > +			ret = -EINVAL;
> > > +			break;
> > 
> > Based on the error handling for the above and below conditions, I would have
> > expected a "goto release_firmware" rather than a "break".
> > 
> 
> You're certainly right!
> 
> Yet another reason for the duplication between this function, the
> mdt_loader and the remoteproc_elf_loader is a bad idea - still not sure
> how to refactor any one of them to fit the three.

I feel the same way about duplication.  On the flip side I don't think we have
to take immediate action... The solution will come out at some point when there
is more convergence.  At least we know it is an area that needs attention.

> 
> Thank you,
> Bjorn
> 
> > > +		}
> > > +
> > >  		ptr = memremap(qproc->mpss_phys + offset, phdr->p_memsz, MEMREMAP_WC);
> > >  		if (!ptr) {
> > >  			dev_err(qproc->dev,
> > > @@ -1241,6 +1249,15 @@ static int q6v5_mpss_load(struct q6v5 *qproc)
> > >  				goto release_firmware;
> > >  			}
> > >  
> > > +			if (seg_fw->size != phdr->p_filesz) {
> > > +				dev_err(qproc->dev,
> > > +					"failed to load segment %d from truncated file %s\n",
> > > +					i, fw_name);
> > > +				ret = -EINVAL;
> > > +				memunmap(ptr);
> > > +				break;
> > 
> > Same here.
> > 
> > > +			}
> > > +
> > >  			release_firmware(seg_fw);
> > >  		}
> > 
> > Thanks,
> > Mathieu
> > 
> > >  
> > > -- 
> > > 2.29.2
> > > 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ