lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5d392867c81da4b667f61430d3aa7065f61b7096.1754385120.git.dan.carpenter@linaro.org>
Date: Tue, 5 Aug 2025 12:29:00 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Val Packett <val@...kett.cool>
Cc: Bjorn Andersson <andersson@...nel.org>,
	Konrad Dybcio <konradybcio@...nel.org>,
	linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] soc: qcom: mdt_loader: Allow empty section headers in
 mdt_header_valid()

The mdt_header_valid() function checks all the members for the elf
header to ensure that reading the firmware doesn't lead to a buffer
overflow or an integer overflow.  However it has a bug, in that it
doesn't allow for firmware with no section headers and this prevents
the firmware from loading.

I know from bug reports that there are firmwares which have zero
section headers, but the same logic applies to program headers.  An
empty program header won't lead to a buffer overflow so it's safe to
allow it.

Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()")
Cc: stable@...r.kernel.org
Reported-by: Val Packett <val@...kett.cool>
Reported-by: Neil Armstrong <neil.armstrong@...aro.org>
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
 drivers/soc/qcom/mdt_loader.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
index 0ca268bdf1f8..d91c5cb325e3 100644
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -32,14 +32,14 @@ static bool mdt_header_valid(const struct firmware *fw)
 	if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
 		return false;
 
-	if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
+	if (ehdr->e_phentsize && ehdr->e_phentsize != sizeof(struct elf32_phdr))
 		return false;
 
 	phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
 	if (phend > fw->size)
 		return false;
 
-	if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+	if (ehdr->e_shentsize && ehdr->e_shentsize != sizeof(struct elf32_shdr))
 		return false;
 
 	shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
-- 
2.47.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ