riscv: module: Fix out-of-bounds relocation access

The current code allows rel[j] to access one element past the end of the
relocation section. Simplify to num_relocations which is equivalent to
the existing size expression.

Fixes: 080c4324fa5e ("riscv: optimize ELF relocation function in riscv")
Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20250409171526.862481-1-samuel.holland@sifive.com
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>

diff --git a/arch/riscv/kernel/module.c b/arch/riscv/kernel/module.c
index 0ae34d79b87bd9b53a9c989bfbc09e5f78255c22..7f6147c18033b20b249f1d2483236aae6e5c1869 100644 (file)
--- a/arch/riscv/kernel/module.c
+++ b/arch/riscv/kernel/module.c
@@ -860,7 +860,7 @@ int apply_relocate_add(Elf_Shdr *sechdrs, const char *strtab,
                                }
 
                                j++;
-                               if (j > sechdrs[relsec].sh_size / sizeof(*rel))
+                               if (j == num_relocations)
                                        j = 0;
 
                        } while (j_idx != j);