Message ID | 20180829115656.9878-1-npiggin@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | b851ba02a6f3075f0f99c60c4bc30a4af80cf428 |
Headers | show |
Series | [RFC] powerpc/64/module: REL32 relocation range check | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | next/apply_patch Successfully applied |
snowpatch_ozlabs/checkpatch | fail | Test checkpatch on branch next |
snowpatch_ozlabs/build-ppc64le | success | Test build-ppc64le on branch next |
snowpatch_ozlabs/build-ppc64be | success | Test build-ppc64be on branch next |
snowpatch_ozlabs/build-ppc64e | success | Test build-ppc64e on branch next |
snowpatch_ozlabs/build-ppc32 | success | Test build-ppc32 on branch next |
On Wed, 2018-08-29 at 11:56:56 UTC, Nicholas Piggin wrote: > The recent module relocation overflow crash demonstrated that we > have no range checking on REL32 relative relocations. This patch > implements a basic check, the same kernel that previously oopsed > and rebooted now continues with some of these errors when loading > the module: > > module_64: x_tables: REL32 527703503449812 out of range! > > Question is whether other relocations (ADDR32, REL16, TOC16, etc.) > should also have overflow checks. > --- > arch/powerpc/kernel/module_64.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c > index a2636c250b7b..2a2fb656d23b 100644 > --- a/arch/powerpc/kernel/module_64.c > +++ b/arch/powerpc/kernel/module_64.c > @@ -678,7 +678,14 @@ int apply_relocate_add(Elf64_Shdr *sechdrs, > > case R_PPC64_REL32: > /* 32 bits relative (used by relative exception tables) */ > - *(u32 *)location = value - (unsigned long)location; > + /* Convert value to relative */ > + value -= (unsigned long)location; > + if (value + 0x80000000 > 0xffffffff) { > + pr_err("%s: REL32 %li out of range!\n", > + me->name, (long int)value); > + return -ENOEXEC; > + } > + *(u32 *)location = value; > break; > > case R_PPC64_TOCSAVE: Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/b851ba02a6f3075f0f99c60c4bc30a cheers
diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c index a2636c250b7b..2a2fb656d23b 100644 --- a/arch/powerpc/kernel/module_64.c +++ b/arch/powerpc/kernel/module_64.c @@ -678,7 +678,14 @@ int apply_relocate_add(Elf64_Shdr *sechdrs, case R_PPC64_REL32: /* 32 bits relative (used by relative exception tables) */ - *(u32 *)location = value - (unsigned long)location; + /* Convert value to relative */ + value -= (unsigned long)location; + if (value + 0x80000000 > 0xffffffff) { + pr_err("%s: REL32 %li out of range!\n", + me->name, (long int)value); + return -ENOEXEC; + } + *(u32 *)location = value; break; case R_PPC64_TOCSAVE: