Commit 63880b2f authored Aug 29, 2018 by Nicholas Piggin Committed by Greg Kroah-Hartman Nov 21, 2018

powerpc/64/module: REL32 relocation range check



[ Upstream commit b851ba02a6f3075f0f99c60c4bc30a4af80cf428 ]

The recent module relocation overflow crash demonstrated that we
have no range checking on REL32 relative relocations. This patch
implements a basic check, the same kernel that previously oopsed
and rebooted now continues with some of these errors when loading
the module:

  module_64: x_tables: REL32 527703503449812 out of range!

Possibly other relocations (ADDR32, REL16, TOC16, etc.) should also have
overflow checks.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 54de3d7d

arch/powerpc/kernel/module_64.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -680,7 +680,14 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,

		case R_PPC64_REL32:
		/* 32 bits relative (used by relative exception tables) */
		(u32 )location = value - (unsigned long)location;
		/* Convert value to relative */
		value -= (unsigned long)location;
		if (value + 0x80000000 > 0xffffffff) {
		pr_err("%s: REL32 %li out of range!\n",
		me->name, (long int)value);
		return -ENOEXEC;
		}
		(u32 )location = value;
		break;

		case R_PPC64_TOCSAVE: