MIPS: Module: Deal with malformed HI16/LO16 relocation sequences. (c54de490) · Commits · e / devices / android_kernel_fairphone_FP3

arch/mips/kernel/module.c

+28 −7

Original line number	Diff line number	Diff line
		@@ -140,19 +140,30 @@ static int apply_r_mips_hi16_rela(struct module me, u32 location, Elf_Addr v)
		return 0;
		}

		static void free_relocation_chain(struct mips_hi16 *l)
		{
		struct mips_hi16 *next;

		while (l) {
		next = l->next;
		kfree(l);
		l = next;
		}
		}

		static int apply_r_mips_lo16_rel(struct module me, u32 location, Elf_Addr v)
		{
		unsigned long insnlo = *location;
		struct mips_hi16 *l;
		Elf_Addr val, vallo;
		struct mips_hi16 l, next;

		/* Sign extend the addend we extract from the lo insn. */
		vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000;

		if (me->arch.r_mips_hi16_list != NULL) {

		l = me->arch.r_mips_hi16_list;
		while (l != NULL) {
		struct mips_hi16 *next;
		unsigned long insn;

		/*
		@@ -198,11 +209,8 @@ static int apply_r_mips_lo16_rel(struct module me, u32 location, Elf_Addr v)
		return 0;

		out_danger:
		while (l) {
		next = l->next;
		kfree(l);
		l = next;
		}
		free_relocation_chain(l);
		me->arch.r_mips_hi16_list = NULL;

		pr_err("module %s: dangerous R_MIPS_LO16 REL relocation\n", me->name);

		@@ -300,6 +308,19 @@ int apply_relocate(Elf_Shdr sechdrs, const char strtab,
		return res;
		}

		/*
		* Normally the hi16 list should be deallocated at this point. A
		* malformed binary however could contain a series of R_MIPS_HI16
		* relocations not followed by a R_MIPS_LO16 relocation. In that
		* case, free up the list and return an error.
		*/
		if (me->arch.r_mips_hi16_list) {
		free_relocation_chain(me->arch.r_mips_hi16_list);
		me->arch.r_mips_hi16_list = NULL;

		return -ENOEXEC;
		}

		return 0;
		}