Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

remoteproc: look for truncated firmware images

Make sure firmware isn't truncated before accessing its data.

Reported-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
Ohad Ben-Cohen 13 years ago
parent
63d667bf53
commit
9bc9123117
1 changed files with 30 additions and 5 deletions
Split View Show Diff Stats
  1. 30 5
      drivers/remoteproc/remoteproc_core.c

+ 30 - 5
drivers/remoteproc/remoteproc_core.c
View File 

@@ -191,6 +191,7 @@ static void *rproc_da_to_va(struct rproc *rproc, u64 da, int len)
 
  * rproc_load_segments() - load firmware segments to memory
 
  * @rproc: remote processor which will be booted using these fw segments
 
  * @elf_data: the content of the ELF firmware image
 
+ * @len: firmware size (in bytes)
 
  *
 
  * This function loads the firmware segments to memory, where the remote
 
  * processor expects them.
 
@@ -211,7 +212,8 @@ static void *rproc_da_to_va(struct rproc *rproc, u64 da, int len)
 
  * directly allocate memory for every segment/resource. This is not yet
 
  * supported, though.
 
  */
 
-static int rproc_load_segments(struct rproc *rproc, const u8 *elf_data)
 
+static int
 
+rproc_load_segments(struct rproc *rproc, const u8 *elf_data, size_t len)
 
 {
 
 	struct device *dev = rproc->dev;
 
 	struct elf32_hdr *ehdr;
 
@@ -226,6 +228,7 @@ static int rproc_load_segments(struct rproc *rproc, const u8 *elf_data)
 
 		u32 da = phdr->p_paddr;
 
 		u32 memsz = phdr->p_memsz;
 
 		u32 filesz = phdr->p_filesz;
 
+		u32 offset = phdr->p_offset;
 
 		void *ptr;
 
 
 		if (phdr->p_type != PT_LOAD)
 
@@ -241,6 +244,13 @@ static int rproc_load_segments(struct rproc *rproc, const u8 *elf_data)
 
 			break;
 
 		}
 
 
+		if (offset + filesz > len) {
 
+			dev_err(dev, "truncated fw: need 0x%x avail 0x%x\n",
 
+					offset + filesz, len);
 
+			ret = -EINVAL;
 
+			break;
 
+		}
 
+
 
 		/* grab the kernel address for this device address */
 
 		ptr = rproc_da_to_va(rproc, da, memsz);
 
 		if (!ptr) {
 
@@ -712,6 +722,7 @@ rproc_handle_virtio_rsc(struct rproc *rproc, struct fw_resource *rsc, int len)
 
  * rproc_handle_resources() - find and handle the resource table
 
  * @rproc: the rproc handle
 
  * @elf_data: the content of the ELF firmware image
 
+ * @len: firmware size (in bytes)
 
  * @handler: function that should be used to handle the resource table
 
  *
 
  * This function finds the resource table inside the remote processor's
 
@@ -725,7 +736,7 @@ rproc_handle_virtio_rsc(struct rproc *rproc, struct fw_resource *rsc, int len)
 
  * processors that don't need a resource table.
 
  */
 
 static int rproc_handle_resources(struct rproc *rproc, const u8 *elf_data,
 
-					rproc_handle_resources_t handler)
 
+				size_t len, rproc_handle_resources_t handler)
 
 
 {
 
 	struct elf32_hdr *ehdr;
 
@@ -743,6 +754,13 @@ static int rproc_handle_resources(struct rproc *rproc, const u8 *elf_data,
 
 			struct fw_resource *table = (struct fw_resource *)
 
 						(elf_data + shdr->sh_offset);
 
 
+			if (shdr->sh_offset + shdr->sh_size > len) {
 
+				dev_err(rproc->dev,
 
+					"truncated fw: need 0x%x avail 0x%x\n",
 
+					shdr->sh_offset + shdr->sh_size, len);
 
+				ret = -EINVAL;
 
+			}
 
+
 
 			ret = handler(rproc, table, shdr->sh_size);
 
 
 			break;
 
@@ -833,6 +851,11 @@ static int rproc_fw_sanity_check(struct rproc *rproc, const struct firmware *fw)
 
 
 	ehdr = (struct elf32_hdr *)fw->data;
 
 
+	if (fw->size < ehdr->e_shoff + sizeof(struct elf32_shdr)) {
 
+		dev_err(dev, "Image is too small\n");
 
+		return -EINVAL;
 
+	}
 
+
 
 	if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG)) {
 
 		dev_err(dev, "Image is corrupted (bad magic)\n");
 
 		return -EINVAL;
 
@@ -887,14 +910,15 @@ static int rproc_fw_boot(struct rproc *rproc, const struct firmware *fw)
 
 	rproc->bootaddr = ehdr->e_entry;
 
 
 	/* handle fw resources which are required to boot rproc */
 
-	ret = rproc_handle_resources(rproc, fw->data, rproc_handle_boot_rsc);
 
+	ret = rproc_handle_resources(rproc, fw->data, fw->size,
 
+						rproc_handle_boot_rsc);
 
 	if (ret) {
 
 		dev_err(dev, "Failed to process resources: %d\n", ret);
 
 		goto clean_up;
 
 	}
 
 
 	/* load the ELF segments to memory */
 
-	ret = rproc_load_segments(rproc, fw->data);
 
+	ret = rproc_load_segments(rproc, fw->data, fw->size);
 
 	if (ret) {
 
 		dev_err(dev, "Failed to load program segments: %d\n", ret);
 
 		goto clean_up;
 
@@ -937,7 +961,8 @@ static void rproc_fw_config_virtio(const struct firmware *fw, void *context)
 
 		goto out;
 
 
 	/* does the fw supports any virtio devices ? */
 
-	ret = rproc_handle_resources(rproc, fw->data, rproc_handle_virtio_rsc);
 
+	ret = rproc_handle_resources(rproc, fw->data, fw->size,
 
+						rproc_handle_virtio_rsc);
 
 	if (ret) {
 
 		dev_info(dev, "No fw virtio device was found\n");
 
 		goto out;