diff mbox

[v5,12/15] binfmt_flat: allow compressed flat binary format to work on MMU systems

Message ID 1469374229-21585-13-git-send-email-nicolas.pitre@linaro.org (mailing list archive)
State New, archived
Headers show

Commit Message

Nicolas Pitre July 24, 2016, 3:30 p.m. UTC
Let's take the simple and obvious approach by decompressing the binary
into a kernel buffer and then copying it to user space.  Those who are
looking for top performance on an MMU system are unlikely to choose this
executable format anyway.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
Reviewed-by: Greg Ungerer <gerg@linux-m68k.org>
---
 fs/binfmt_flat.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

Comments

Arnd Bergmann July 24, 2016, 7:48 p.m. UTC | #1
On Sunday, July 24, 2016 11:30:26 AM CEST Nicolas Pitre wrote:
> +#else
> +                       /*
> +                        * This is used on MMU systems mainly for testing.
> +                        * Let's use a kernel buffer to simplify things.
> +                        */
> +                       long unz_text_len = text_len - sizeof(struct flat_hdr);
> +                       long unz_len = unz_text_len + full_data;
> +                       char *unz_data = vmalloc(unz_len);
> +                       if (!unz_data) {
> +                               result = -ENOMEM;
> 

Is there a risk of a malicious user exhausting vmalloc space with a
binary that has forged headers? If there is, maybe put an upper bound on
the size of allocation.

More broadly speaking, are there any other attacks that may get enabled
through forged binaries? We've had a couple of vulnerabilities in
binfmt_elf over the years, and I wonder how dangerous it might be
if distros turn on binfmt_flat support by default.

	Arnd

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Nicolas Pitre July 24, 2016, 8:25 p.m. UTC | #2
On Sun, 24 Jul 2016, Arnd Bergmann wrote:

> On Sunday, July 24, 2016 11:30:26 AM CEST Nicolas Pitre wrote:
> > +#else
> > +                       /*
> > +                        * This is used on MMU systems mainly for testing.
> > +                        * Let's use a kernel buffer to simplify things.
> > +                        */
> > +                       long unz_text_len = text_len - sizeof(struct flat_hdr);
> > +                       long unz_len = unz_text_len + full_data;
> > +                       char *unz_data = vmalloc(unz_len);
> > +                       if (!unz_data) {
> > +                               result = -ENOMEM;
> > 
> 
> Is there a risk of a malicious user exhausting vmalloc space with a
> binary that has forged headers? If there is, maybe put an upper bound on
> the size of allocation.

Patch #3 enforces a cap on all parameters to avoid overflows and 
unreasonable section sizes.

Then vmalloc space is used here only for decompressing the binary into, 
after which the whole thing is copied to user space and the vmalloc area 
is freed right away.

> More broadly speaking, are there any other attacks that may get enabled
> through forged binaries? We've had a couple of vulnerabilities in
> binfmt_elf over the years, and I wonder how dangerous it might be
> if distros turn on binfmt_flat support by default.

That was Alan's concern too which prompted patch #3. But with a clamp on 
all parameters, everything else is done via user accessors.  So an 
executable still can crap onto itself or generate a segfault but I doubt 
we really care at that point.


Nicolas
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Arnd Bergmann July 25, 2016, 8:18 a.m. UTC | #3
On Sunday, July 24, 2016 4:25:16 PM CEST Nicolas Pitre wrote:
> On Sun, 24 Jul 2016, Arnd Bergmann wrote:
> 
> > On Sunday, July 24, 2016 11:30:26 AM CEST Nicolas Pitre wrote:
> > > +#else
> > > +                       /*
> > > +                        * This is used on MMU systems mainly for testing.
> > > +                        * Let's use a kernel buffer to simplify things.
> > > +                        */
> > > +                       long unz_text_len = text_len - sizeof(struct flat_hdr);
> > > +                       long unz_len = unz_text_len + full_data;
> > > +                       char *unz_data = vmalloc(unz_len);
> > > +                       if (!unz_data) {
> > > +                               result = -ENOMEM;
> > > 
> > 
> > Is there a risk of a malicious user exhausting vmalloc space with a
> > binary that has forged headers? If there is, maybe put an upper bound on
> > the size of allocation.
> 
> Patch #3 enforces a cap on all parameters to avoid overflows and 
> unreasonable section sizes.
> 
> Then vmalloc space is used here only for decompressing the binary into, 
> after which the whole thing is copied to user space and the vmalloc area 
> is freed right away.
> 
> > More broadly speaking, are there any other attacks that may get enabled
> > through forged binaries? We've had a couple of vulnerabilities in
> > binfmt_elf over the years, and I wonder how dangerous it might be
> > if distros turn on binfmt_flat support by default.
> 
> That was Alan's concern too which prompted patch #3. But with a clamp on 
> all parameters, everything else is done via user accessors.  So an 
> executable still can crap onto itself or generate a segfault but I doubt 
> we really care at that point.
> 

Ok, sounds good.

	Arnd

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
index 7b999aebad..98cfefadb6 100644
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -34,6 +34,7 @@ 
 #include <linux/init.h>
 #include <linux/flat.h>
 #include <linux/uaccess.h>
+#include <linux/vmalloc.h>
 
 #include <asm/byteorder.h>
 #include <asm/unaligned.h>
@@ -628,6 +629,7 @@  static int load_flat_file(struct linux_binprm *bprm,
 		 * load it all in and treat it like a RAM load from now on
 		 */
 		if (flags & FLAT_FLAG_GZIP) {
+#ifndef CONFIG_MMU
 			result = decompress_exec(bprm, sizeof(struct flat_hdr),
 					 (((char *)textpos) + sizeof(struct flat_hdr)),
 					 (text_len + full_data
@@ -635,13 +637,51 @@  static int load_flat_file(struct linux_binprm *bprm,
 					 0);
 			memmove((void *) datapos, (void *) realdatastart,
 					full_data);
+#else
+			/*
+			 * This is used on MMU systems mainly for testing.
+			 * Let's use a kernel buffer to simplify things.
+			 */
+			long unz_text_len = text_len - sizeof(struct flat_hdr);
+			long unz_len = unz_text_len + full_data;
+			char *unz_data = vmalloc(unz_len);
+			if (!unz_data) {
+				result = -ENOMEM;
+			} else {
+				result = decompress_exec(bprm, sizeof(struct flat_hdr),
+							 unz_data, unz_len, 0);
+				if (result == 0 &&
+				    (copy_to_user((void __user *)textpos + sizeof(struct flat_hdr),
+						  unz_data, unz_text_len) ||
+				     copy_to_user((void __user *)datapos,
+						  unz_data + unz_text_len, full_data)))
+					result = -EFAULT;
+				vfree(unz_data);
+			}
+#endif
 		} else if (flags & FLAT_FLAG_GZDATA) {
 			result = read_code(bprm->file, textpos, 0, text_len);
-			if (!IS_ERR_VALUE(result))
+			if (!IS_ERR_VALUE(result)) {
+#ifndef CONFIG_MMU
 				result = decompress_exec(bprm, text_len, (char *) datapos,
 						 full_data, 0);
-		} else
+#else
+				char *unz_data = vmalloc(full_data);
+				if (!unz_data) {
+					result = -ENOMEM;
+				} else {
+					result = decompress_exec(bprm, text_len,
+						       unz_data, full_data, 0);
+					if (result == 0 &&
+					    copy_to_user((void __user *)datapos,
+							 unz_data, full_data))
+						result = -EFAULT;
+					vfree(unz_data);
+				}
 #endif
+			}
+		} else
+#endif /* CONFIG_BINFMT_ZFLAT */
 		{
 			result = read_code(bprm->file, textpos, 0, text_len);
 			if (!IS_ERR_VALUE(result))