From: Dan Carpenter <dan.carpenter@linaro.org> stable inclusion from stable-v6.6.103 commit 72ff3acf00443119779bb44773c796b26ba37f8c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICXMCU CVE: CVE-2025-39787 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 9f35ab0e53ccbea57bb9cbad8065e0406d516195 upstream. This function is supposed to return true for valid headers and false for invalid. In a couple places it returns -EINVAL instead which means the invalid headers are counted as true. Change it to return false. Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Link: https://lore.kernel.org/r/db57c01c-bdcc-4a0f-95db-b0f2784ea91f@sabinyo.mount... Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Chen Jinghuang <chenjinghuang2@huawei.com> --- drivers/soc/qcom/mdt_loader.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index 2834f0771d3f..f49f21cf3b4b 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -32,14 +32,14 @@ static bool mdt_header_valid(const struct firmware *fw) return false; if (ehdr->e_phentsize != sizeof(struct elf32_phdr)) - return -EINVAL; + return false; phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff); if (phend > fw->size) return false; if (ehdr->e_shentsize != sizeof(struct elf32_shdr)) - return -EINVAL; + return false; shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff); if (shend > fw->size) -- 2.34.1