| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5d392867c81da4b667f61430d3aa7065f61b7096.1754385120.git.dan.carpenter@linaro.org>
Date: Tue, 5 Aug 2025 12:29:00 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Val Packett <val@...kett.cool>
Cc: Bjorn Andersson <andersson@...nel.org>,
Konrad Dybcio <konradybcio@...nel.org>,
linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] soc: qcom: mdt_loader: Allow empty section headers in
mdt_header_valid()
The mdt_header_valid() function checks all the members for the elf
header to ensure that reading the firmware doesn't lead to a buffer
overflow or an integer overflow. However it has a bug, in that it
doesn't allow for firmware with no section headers and this prevents
the firmware from loading.
I know from bug reports that there are firmwares which have zero
section headers, but the same logic applies to program headers. An
empty program header won't lead to a buffer overflow so it's safe to
allow it.
Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()")
Cc: stable@...r.kernel.org
Reported-by: Val Packett <val@...kett.cool>
Reported-by: Neil Armstrong <neil.armstrong@...aro.org>
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
drivers/soc/qcom/mdt_loader.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index 0ca268bdf1f8..d91c5cb325e3 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -32,14 +32,14 @@ static bool mdt_header_valid(const struct firmware *fw)
if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
return false;
- if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
+ if (ehdr->e_phentsize && ehdr->e_phentsize != sizeof(struct elf32_phdr))
return false;
phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
if (phend > fw->size)
return false;
- if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+ if (ehdr->e_shentsize && ehdr->e_shentsize != sizeof(struct elf32_shdr))
return false;
shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
--
2.47.2
Powered by blists - more mailing lists