Commit c54de490 authored by Ralf Baechle's avatar Ralf Baechle

MIPS: Module: Deal with malformed HI16/LO16 relocation sequences.

In case a series of R_MIPS_HI16 relocations was not followed by an
R_MIPS_LO16 relocation we were leaking the hi16 relocation chain.
Handle that error and return an error.
Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
parent 861667dc
...@@ -140,19 +140,30 @@ static int apply_r_mips_hi16_rela(struct module *me, u32 *location, Elf_Addr v) ...@@ -140,19 +140,30 @@ static int apply_r_mips_hi16_rela(struct module *me, u32 *location, Elf_Addr v)
return 0; return 0;
} }
static void free_relocation_chain(struct mips_hi16 *l)
{
struct mips_hi16 *next;
while (l) {
next = l->next;
kfree(l);
l = next;
}
}
static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v)
{ {
unsigned long insnlo = *location; unsigned long insnlo = *location;
struct mips_hi16 *l;
Elf_Addr val, vallo; Elf_Addr val, vallo;
struct mips_hi16 *l, *next;
/* Sign extend the addend we extract from the lo insn. */ /* Sign extend the addend we extract from the lo insn. */
vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000; vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000;
if (me->arch.r_mips_hi16_list != NULL) { if (me->arch.r_mips_hi16_list != NULL) {
l = me->arch.r_mips_hi16_list; l = me->arch.r_mips_hi16_list;
while (l != NULL) { while (l != NULL) {
struct mips_hi16 *next;
unsigned long insn; unsigned long insn;
/* /*
...@@ -198,11 +209,8 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) ...@@ -198,11 +209,8 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v)
return 0; return 0;
out_danger: out_danger:
while (l) { free_relocation_chain(l);
next = l->next; me->arch.r_mips_hi16_list = NULL;
kfree(l);
l = next;
}
pr_err("module %s: dangerous R_MIPS_LO16 REL relocation\n", me->name); pr_err("module %s: dangerous R_MIPS_LO16 REL relocation\n", me->name);
...@@ -300,6 +308,19 @@ int apply_relocate(Elf_Shdr *sechdrs, const char *strtab, ...@@ -300,6 +308,19 @@ int apply_relocate(Elf_Shdr *sechdrs, const char *strtab,
return res; return res;
} }
/*
* Normally the hi16 list should be deallocated at this point. A
* malformed binary however could contain a series of R_MIPS_HI16
* relocations not followed by a R_MIPS_LO16 relocation. In that
* case, free up the list and return an error.
*/
if (me->arch.r_mips_hi16_list) {
free_relocation_chain(me->arch.r_mips_hi16_list);
me->arch.r_mips_hi16_list = NULL;
return -ENOEXEC;
}
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment