Re: [PATCH v2 1/3] soc: qcom: mdt_loader: Ensure we don't read past the ELF header

From: Dmitry Baryshkov
Date: Mon Jun 16 2025 - 10:09:35 EST

Next message: Bryan O'Donoghue: "Re: [PATCH 2/2] media: qcom: camss: vfe: Fix registration sequencing bug"
Previous message: Quentin Monnet: "Re: [PATCH bpf-next v3 2/2] selftests/bpf: Add test for bpftool access to read-only protected maps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 10, 2025 at 09:58:28PM -0500, Bjorn Andersson wrote:
> When the MDT loader is used in remoteproc, the ELF header is sanitized
> beforehand, but that's not necessary the case for other clients.
>
> Validate the size of the firmware buffer to ensure that we don't read
> past the end as we iterate over the header. e_phentsize and e_shentsize
> are validated as well, to ensure that the assumptions about step size in
> the traversal are valid.
>
> Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Reported-by: Doug Anderson <dianders@xxxxxxxxxxxx>
> Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxxxxxxxx>
> ---
> drivers/soc/qcom/mdt_loader.c | 43 +++++++++++++++++++++++++++++++++++++++++++

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxxxxxxxx>

Nit: in theory we don't need to validate section headers since we don't
use them in the loader. However it's better be safe than sorry.

> 1 file changed, 43 insertions(+)
>

--
With best wishes
Dmitry

Next message: Bryan O'Donoghue: "Re: [PATCH 2/2] media: qcom: camss: vfe: Fix registration sequencing bug"
Previous message: Quentin Monnet: "Re: [PATCH bpf-next v3 2/2] selftests/bpf: Add test for bpftool access to read-only protected maps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]