|
|
@@ -140,19 +140,30 @@ static int apply_r_mips_hi16_rela(struct module *me, u32 *location, Elf_Addr v)
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
+static void free_relocation_chain(struct mips_hi16 *l)
|
|
|
+{
|
|
|
+ struct mips_hi16 *next;
|
|
|
+
|
|
|
+ while (l) {
|
|
|
+ next = l->next;
|
|
|
+ kfree(l);
|
|
|
+ l = next;
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v)
|
|
|
{
|
|
|
unsigned long insnlo = *location;
|
|
|
+ struct mips_hi16 *l;
|
|
|
Elf_Addr val, vallo;
|
|
|
- struct mips_hi16 *l, *next;
|
|
|
|
|
|
/* Sign extend the addend we extract from the lo insn. */
|
|
|
vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000;
|
|
|
|
|
|
if (me->arch.r_mips_hi16_list != NULL) {
|
|
|
-
|
|
|
l = me->arch.r_mips_hi16_list;
|
|
|
while (l != NULL) {
|
|
|
+ struct mips_hi16 *next;
|
|
|
unsigned long insn;
|
|
|
|
|
|
/*
|
|
|
@@ -198,11 +209,8 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v)
|
|
|
return 0;
|
|
|
|
|
|
out_danger:
|
|
|
- while (l) {
|
|
|
- next = l->next;
|
|
|
- kfree(l);
|
|
|
- l = next;
|
|
|
- }
|
|
|
+ free_relocation_chain(l);
|
|
|
+ me->arch.r_mips_hi16_list = NULL;
|
|
|
|
|
|
pr_err("module %s: dangerous R_MIPS_LO16 REL relocation\n", me->name);
|
|
|
|
|
|
@@ -300,6 +308,19 @@ int apply_relocate(Elf_Shdr *sechdrs, const char *strtab,
|
|
|
return res;
|
|
|
}
|
|
|
|
|
|
+ /*
|
|
|
+ * Normally the hi16 list should be deallocated at this point. A
|
|
|
+ * malformed binary however could contain a series of R_MIPS_HI16
|
|
|
+ * relocations not followed by a R_MIPS_LO16 relocation. In that
|
|
|
+ * case, free up the list and return an error.
|
|
|
+ */
|
|
|
+ if (me->arch.r_mips_hi16_list) {
|
|
|
+ free_relocation_chain(me->arch.r_mips_hi16_list);
|
|
|
+ me->arch.r_mips_hi16_list = NULL;
|
|
|
+
|
|
|
+ return -ENOEXEC;
|
|
|
+ }
|
|
|
+
|
|
|
return 0;
|
|
|
}
|
|
|
|
Ralf Baechle