Prev: [107/140] ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
Next: [115/140] ACPI: skip checking BM_STS if the BIOS doesnt ask for it
From: Greg KH on 30 Jul 2010 13:50
2.6.33-stable review patch. If anyone has any objections, please let us know.

------------------

From: Krzysztof Halasa <khc(a)pm.waw.pl>

commit 1c938663d58b5b2965976a6f54cc51b5d6f691aa upstream.

Alan <alan(a)clueserver.org> writes:

> program: /home/alan/GitTrees/linux-2.6-mid-ref/scripts/mod/modpost -o
> Module.symvers -S vmlinux.o
>
> Program received signal SIGSEGV, Segmentation fault.

It just hit me.
It's the offset calculation in reloc_location() which overflows:
return (void *)elf->hdr + sechdrs[section].sh_offset +
(r->r_offset - sechdrs[section].sh_addr);

E.g. for the first rodata r entry:
r->r_offset < sechdrs[section].sh_addr
and the expression in the parenthesis produces 0xFFFFFFE0 or something
equally wise.

Reported-by: Alan <alan(a)clueserver.org>
Signed-off-by: Krzysztof HaƂasa <khc(a)pm.waw.pl>
Tested-by: Alan <alan(a)clueserver.org>
Signed-off-by: Michal Marek <mmarek(a)suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
scripts/mod/modpost.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -1318,7 +1318,7 @@ static unsigned int *reloc_location(stru
int section = sechdr->sh_info;

return (void *)elf->hdr + sechdrs[section].sh_offset +
- (r->r_offset - sechdrs[section].sh_addr);
+ r->r_offset - sechdrs[section].sh_addr;
}

static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [107/140] ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
Next: [115/140] ACPI: skip checking BM_STS if the BIOS doesnt ask for it