]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commitdiff
ARM: 8650/1: module: handle negative R_ARM_PREL31 addends correctly
authorArd Biesheuvel <ard.biesheuvel@linaro.org>
Mon, 30 Jan 2017 17:29:28 +0000 (18:29 +0100)
committerRussell King <rmk+kernel@armlinux.org.uk>
Tue, 28 Feb 2017 11:06:15 +0000 (11:06 +0000)
According to the spec 'ELF for the ARM Architecture' (IHI 0044E),
addends for R_ARM_PREL31 relocations are 31-bit signed quantities,
so we need to sign extend the value to 32 bits before it can be used
as an offset in the calculation of the relocated value.

We have not been bitten by this because these relocations are usually
emitted against the start of a section, which means the addends never
assume negative values in practice. But it is a bug nonetheless, so fix
it.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
arch/arm/kernel/module.c

index 4f14b5ce6535f7a19215660ebb4b3e62bd6ea5ed..80254b47dc3420ec11cb6611f645d5b1faf55b66 100644 (file)
@@ -155,8 +155,17 @@ apply_relocate(Elf32_Shdr *sechdrs, const char *strtab, unsigned int symindex,
                       break;
 
                case R_ARM_PREL31:
-                       offset = *(u32 *)loc + sym->st_value - loc;
-                       *(u32 *)loc = offset & 0x7fffffff;
+                       offset = (*(s32 *)loc << 1) >> 1; /* sign extend */
+                       offset += sym->st_value - loc;
+                       if (offset >= 0x40000000 || offset < -0x40000000) {
+                               pr_err("%s: section %u reloc %u sym '%s': relocation %u out of range (%#lx -> %#x)\n",
+                                      module->name, relindex, i, symname,
+                                      ELF32_R_TYPE(rel->r_info), loc,
+                                      sym->st_value);
+                               return -ENOEXEC;
+                       }
+                       *(u32 *)loc &= 0x80000000;
+                       *(u32 *)loc |= offset & 0x7fffffff;
                        break;
 
                case R_ARM_MOVW_ABS_NC: