arm64/module: revert to unsigned interpretation of ABS16/32 relocations

Commit 1cf24a2cc3fd

  ("arm64/module: deal with ambiguity in PRELxx relocation ranges")

updated the overflow checking logic in the relocation handling code to
ensure that PREL16/32 relocations don't overflow signed quantities.

However, the same code path is used for absolute relocations, where the
interpretation is the opposite: the only current use case for absolute
relocations operating on non-native word size quantities is the CRC32
handling in the CONFIG_MODVERSIONS code, and these CRCs are unsigned
32-bit quantities, which are now being rejected by the module loader
if bit 31 happens to be set.

So let's use different ranges for quanties subject to absolute vs.
relative relocations:
- ABS16/32 relocations should be in the range [0, Uxx_MAX)
- PREL16/32 relocations should be in the range [Sxx_MIN, Sxx_MAX)
- otherwise, print an error since no other 16 or 32 bit wide data
  relocations are currently supported.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>

1 files changed, 30 insertions, 8 deletions

diff --git a/arch/arm64/kernel/module.c b/arch/arm64/kernel/module.c
index f32359cffb01..dd080837e6a9 100644
--- a/arch/arm64/kernel/module.c
+++ b/arch/arm64/kernel/module.c
@@ -98,10 +98,10 @@ static int reloc_data(enum aarch64_reloc_op op, void *place, u64 val, int len)
 
         /*
          * The ELF psABI for AArch64 documents the 16-bit and 32-bit place
-         * relative relocations as having a range of [-2^15, 2^16) or
-         * [-2^31, 2^32), respectively. However, in order to be able to detect
-         * overflows reliably, we have to choose whether we interpret such
-         * quantities as signed or as unsigned, and stick with it.
+         * relative and absolute relocations as having a range of [-2^15, 2^16)
+         * or [-2^31, 2^32), respectively. However, in order to be able to
+         * detect overflows reliably, we have to choose whether we interpret
+         * such quantities as signed or as unsigned, and stick with it.
          * The way we organize our address space requires a signed
          * interpretation of 32-bit relative references, so let's use that
          * for all R_AARCH64_PRELxx relocations. This means our upper
@@ -111,13 +111,35 @@ static int reloc_data(enum aarch64_reloc_op op, void *place, u64 val, int len)
         switch (len) {
         case 16:
                 *(s16 *)place = sval;
-                if (sval < S16_MIN || sval > S16_MAX)
-                        return -ERANGE;
+                switch (op) {
+                case RELOC_OP_ABS:
+                        if (sval < 0 || sval > U16_MAX)
+                                return -ERANGE;
+                        break;
+                case RELOC_OP_PREL:
+                        if (sval < S16_MIN || sval > S16_MAX)
+                                return -ERANGE;
+                        break;
+                default:
+                        pr_err("Invalid 16-bit data relocation (%d)\n", op);
+                        return 0;
+                }
                 break;
         case 32:
                 *(s32 *)place = sval;
-                if (sval < S32_MIN || sval > S32_MAX)
-                        return -ERANGE;
+                switch (op) {
+                case RELOC_OP_ABS:
+                        if (sval < 0 || sval > U32_MAX)
+                                return -ERANGE;
+                        break;
+                case RELOC_OP_PREL:
+                        if (sval < S32_MIN || sval > S32_MAX)
+                                return -ERANGE;
+                        break;
+                default:
+                        pr_err("Invalid 32-bit data relocation (%d)\n", op);
+                        return 0;
+                }
                 break;
         case 64:
                 *(s64 *)place = sval;