From: Samuel Holland <samuel.holland@sifive.com>
Date: Wed, 9 Apr 2025 17:14:49 +0000 (-0700)
Subject: riscv: module: Fix out-of-bounds relocation access
X-Git-Tag: v6.15-rc3~23^2^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b4cce68efb93e31a8e51795d696df6e379cb41c;p=thirdparty%2Flinux.git

riscv: module: Fix out-of-bounds relocation access

The current code allows rel[j] to access one element past the end of the
relocation section. Simplify to num_relocations which is equivalent to
the existing size expression.

Fixes: 080c4324fa5e ("riscv: optimize ELF relocation function in riscv")
Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20250409171526.862481-1-samuel.holland@sifive.com
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
---

diff --git a/arch/riscv/kernel/module.c b/arch/riscv/kernel/module.c
index 0ae34d79b87bd..7f6147c18033b 100644
--- a/arch/riscv/kernel/module.c
+++ b/arch/riscv/kernel/module.c
@@ -860,7 +860,7 @@ int apply_relocate_add(Elf_Shdr *sechdrs, const char *strtab,
 				}
 
 				j++;
-				if (j > sechdrs[relsec].sh_size / sizeof(*rel))
+				if (j == num_relocations)
 					j = 0;
 
 			} while (j_idx != j);