soc: qcom: mdt_loader: Ensure we don't read past the ELF header
authorBjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Wed, 11 Jun 2025 02:58:28 +0000 (21:58 -0500)
committerBjorn Andersson <andersson@kernel.org>
Tue, 17 Jun 2025 03:19:52 +0000 (22:19 -0500)
commit9f9967fed9d066ed3dae9372b45ffa4f6fccfeef
tree85c8015e958578714e825cb0b100baf744f033bd
parent19272b37aa4f83ca52bdf9c16d5d81bdd1354494
soc: qcom: mdt_loader: Ensure we don't read past the ELF header

When the MDT loader is used in remoteproc, the ELF header is sanitized
beforehand, but that's not necessary the case for other clients.

Validate the size of the firmware buffer to ensure that we don't read
past the end as we iterate over the header. e_phentsize and e_shentsize
are validated as well, to ensure that the assumptions about step size in
the traversal are valid.

Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
Cc: stable@vger.kernel.org
Reported-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
drivers/soc/qcom/mdt_loader.c