From patchwork Thu Aug 17 01:09:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Pitre X-Patchwork-Id: 9904809 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A9CB660244 for ; Thu, 17 Aug 2017 01:09:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CCE81FE84 for ; Thu, 17 Aug 2017 01:09:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9152728A74; Thu, 17 Aug 2017 01:09:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 26B861FE84 for ; Thu, 17 Aug 2017 01:09:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752291AbdHQBJc (ORCPT ); Wed, 16 Aug 2017 21:09:32 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:38910 "EHLO mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752245AbdHQBJb (ORCPT ); Wed, 16 Aug 2017 21:09:31 -0400 Received: by mail-io0-f179.google.com with SMTP id g71so18605056ioe.5 for ; Wed, 16 Aug 2017 18:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:user-agent:mime-version; bh=A3zpQrwqysM6Dnv01teNDZIsApEsdN3fJS5peGCoKUI=; b=KGlM3n/Glsb4HT4Z0yv6DLXOcmNBvXOmXJ16xKDKdmwCYNqtavYf19evyCC/AN2H84 DtJ/i6EvaAKdDWK9mJ3+hfaFd9/gPns+8rUKcFQ65XgmJZ+id+UDKre55NBuOg+y8Ns3 El6rYnevPS9vOTcezumcMykFaHp9UTNLCEqCo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:user-agent :mime-version; bh=A3zpQrwqysM6Dnv01teNDZIsApEsdN3fJS5peGCoKUI=; b=c+B5BMrLYHE3bKTQvLZqfcFLLINvdp0hBrP8YmOMD0lD9K+c/ZL7ZrVC6igZULD/25 npmeINm+rN6YpXSkr3Z8+GC5a7M306n8Ncuxkbuj9wPfqOeotOVA3KulfCOq3Pm4Cqlh LchH2HylQIt7xmHoDa1YR8eaOKVJoSbLUtoKD6WcfBTvVv+7f587crRZEbRPQq1nqWOJ NTSFOmWgxc8U6AQqOkRgN8Z9RKvuvEOyPj/pOut7jVVO7IDSuo+Ct88iYFTCGR0bsVPV AbjxUSO6vpkWcy+xvqqRAdIqctGvTYodAlXLCt6MrSIwCMVBmOskjG6z+T3q1zVm/xMG O0Cg== X-Gm-Message-State: AHYfb5i1UlZCn7EGrT/GGswb6zAsjsEiKUHvVccZP3ZxiG9tTQq/3DfU s1etpHTw9nXr46UP2GxxRQ== X-Received: by 10.107.203.6 with SMTP id b6mr3103074iog.232.1502932171062; Wed, 16 Aug 2017 18:09:31 -0700 (PDT) Received: from xanadu.home (modemcable199.200-80-70.mc.videotron.ca. [70.80.200.199]) by smtp.gmail.com with ESMTPSA id o71sm558821itb.34.2017.08.16.18.09.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Aug 2017 18:09:30 -0700 (PDT) Date: Wed, 16 Aug 2017 21:09:28 -0400 (EDT) From: Nicolas Pitre To: Alexander Viro cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] binfmt_elf_fdpic: fix crash on MMU system with dynamic binaries Message-ID: User-Agent: Alpine 2.20 (LFD 67 2015-01-07) MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In elf_fdpic_map_file() there is a test to ensure the dynamic section in user space is properly terminated. However it does so by dereferencing a user address directly. Add proper user space accessor. Signed-off-by: Nicolas Pitre --- fs/binfmt_elf_fdpic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index cf93a4fad0..6ae00b1102 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -830,6 +830,9 @@ static int elf_fdpic_map_file(struct elf_fdpic_params *params, if (phdr->p_vaddr >= seg->p_vaddr && phdr->p_vaddr + phdr->p_memsz <= seg->p_vaddr + seg->p_memsz) { + Elf32_Dyn __user *dyn; + Elf32_Sword d_tag; + params->dynamic_addr = (phdr->p_vaddr - seg->p_vaddr) + seg->addr; @@ -842,8 +845,9 @@ static int elf_fdpic_map_file(struct elf_fdpic_params *params, goto dynamic_error; tmp = phdr->p_memsz / sizeof(Elf32_Dyn); - if (((Elf32_Dyn *) - params->dynamic_addr)[tmp - 1].d_tag != 0) + dyn = (Elf32_Dyn __user *)params->dynamic_addr; + __get_user(d_tag, &dyn[tmp - 1].d_tag); + if (d_tag != 0) goto dynamic_error; break; }