From patchwork Fri Sep 29 03:24:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13403635 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1E4CE743DD for ; Fri, 29 Sep 2023 03:24:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1A6038D00E3; Thu, 28 Sep 2023 23:24:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1579E8D0002; Thu, 28 Sep 2023 23:24:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EC2B38D00E3; Thu, 28 Sep 2023 23:24:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id DC68F8D0002 for ; Thu, 28 Sep 2023 23:24:43 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id A19481210AE for ; Fri, 29 Sep 2023 03:24:43 +0000 (UTC) X-FDA: 81288192846.01.3587D9A Received: from mail-qk1-f172.google.com (mail-qk1-f172.google.com [209.85.222.172]) by imf03.hostedemail.com (Postfix) with ESMTP id C8EEB2000C for ; Fri, 29 Sep 2023 03:24:40 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=EvTRaDks; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf03.hostedemail.com: domain of keescook@chromium.org designates 209.85.222.172 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1695957880; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7JCtI6Mw9jLbpCfzTWeYqaol0MCiq7teZQqSoN5bxO4=; b=Dx5EAA5JLQ70+kkm8BOc+IvQt7E6+l1oGKWtbUGf43rZ+ckc9nan1dD5PAIXF8w9YuQGjl HCdRkaKCKhLOZ6LX9sm2XUMLDW7ca3VW0jgPwD+Fdhs/1uhnAuXspkPDgqsRzCi6Yg3iCx SCwruBTKTXLM1Z9AykcIm41x34S0Kf0= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=EvTRaDks; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf03.hostedemail.com: domain of keescook@chromium.org designates 209.85.222.172 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1695957880; a=rsa-sha256; cv=none; b=I++OvAZsM0v2cWWD/cA470iACgW1MYQxkK1GbvGk8w0FyED/8HAa8ui809l2qc1Xdgj7r4 XoBi9fS+vPu6BGzoARqqalOQnezIrvL/5AbNg+8fyUWh6tSKr+hTQCMpPqJv/97suZWA4U 36TXBqaz+faasm+9p8VdkXs71lP5Ayg= Received: by mail-qk1-f172.google.com with SMTP id af79cd13be357-77575233636so248818785a.2 for ; Thu, 28 Sep 2023 20:24:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1695957880; x=1696562680; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7JCtI6Mw9jLbpCfzTWeYqaol0MCiq7teZQqSoN5bxO4=; b=EvTRaDks7UaEIClA0VisDf/7VnmILHUpHYZ2pFxTtYisNTRKcZfrUpLGwvQ8D5oySv naTZDAPfrTuNuRlTeyY1BYA9P1xXb8kvqIW7hCBrETy312Pt+IDOaIGN8x0FKLnDjc5d 3VnRxh91YV0699FQLyT0kkPy2jx5pl89SevQE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695957880; x=1696562680; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7JCtI6Mw9jLbpCfzTWeYqaol0MCiq7teZQqSoN5bxO4=; b=YtejpjqKhknRyYKnyi/n58BoDGnic4WiHFxJOESkWPAwcI2RjiK/Wa/g9sEG98ggD8 hh3e3GJmweVtWpE8K01AHacJXo0vJYIN9TZeISzM/y5RSYqMLa43hWOBLjz4APG3xQ4Q DCKLJL09SM5udxjkP/AJ5RbzbWy7yr2DbChpEVfhBjFLEydA3EtGN8z2l1eqJOdNFRM/ f0lGsUQ3ex+ICVW1mkKF/uEPwseSPlvp/9qnHp4oL95p3jhRT2pYUPC/4BqL8W6HCX9M 54owbfH6TpTkGWGyAyDPCD73EaYImukkO9+XQHAy0zKuhnRCsED1SAUuPog+PwTfVi8g GG+Q== X-Gm-Message-State: AOJu0YwxE6IoaY2uFESMhmjtbc7oBi727yfcTPw68fK1s0ASflACLroE 20WV5R0u0+4S8NNzXY93YvxiOQ== X-Google-Smtp-Source: AGHT+IELcqZMMKb1td/vncjB5sH12I54PHU5TdsvQyhNwOMv+fB/QBhAjEGhxQYK020wITjebfX9sQ== X-Received: by 2002:a05:620a:e9d:b0:772:6443:daf3 with SMTP id w29-20020a05620a0e9d00b007726443daf3mr2738735qkm.66.1695957879917; Thu, 28 Sep 2023 20:24:39 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id du14-20020a056a002b4e00b00690fe1c928esm10256201pfb.91.2023.09.28.20.24.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 20:24:36 -0700 (PDT) From: Kees Cook To: Eric Biederman Cc: Kees Cook , Alexander Viro , Christian Brauner , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, Pedro Falcato , Sebastian Ott , =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , Andrew Morton , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v4 3/6] binfmt_elf: Use elf_load() for interpreter Date: Thu, 28 Sep 2023 20:24:31 -0700 Message-Id: <20230929032435.2391507-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230929031716.it.155-kees@kernel.org> References: <20230929031716.it.155-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2936; i=keescook@chromium.org; h=from:subject; bh=8mN64ZnApkL7mlS3J3j8M/PeeHjiU24xpvEFIwO52Sc=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlFkNyQ5p5E4Tg789OjEFFGvDw6hy8O/CboaqJO +gn/YtsP02JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZRZDcgAKCRCJcvTf3G3A JlfrD/0UmFIiwvqM26CPsRIStoMfmoWWLE+1T0+B6VIpoHHYl6fxgrYIk1GMjuaGbD0RwF9QP+t BqcWROGSbE7jtsk5rW33lmv5P4kATjv1E8P0xTh6YLwy/qmxm1iBcqH7A7aIp5rT/ZZxmRWS7z/ KaumFG9s9XzIzz7vNtyCpYAslNBn7Ct0D760d/KdyUyF0tRcwUZGbbqsCSJ3qDlqi9Oh48d8rqr zVrOdBbcoN0GFz2NFhwg1g0iypiVC72gYNSKuCVuYoSflzMWmk+MWWz+KoGHh8QQyufk09tUrRt 7e7QzVJPtxRfKGiVSBnbT7mPxw87BCa7B1z+sX5Sj7D4++z7rbKsnwJGiOeSn9hRsn3zwU/bHKg 2VugFFQ+5/llgN3z58QGPu56dO6ydWYCZeneBcrQoNc1xhZyz8M2IpA5m0iJS719hxg22R2fW1p xaQITu1kMm0y6BxdReD/XHhw3eM0HzXWV9ltG8nLrJXOVz5Ve3z1wcEusMGPOh07NsX6dEfXDJv XYtMF21/+UxnZ3eYxaWMHimE+Qo2DtB694DxSqJhwRK4FB4KUShHOAsbSQTcGSzXCx13gP3vhF0 S8eSoWkYBz90zkFWSPCcyq4F9jfXjVmVgHQgU/leUKWz2vDzeEVdmX04CQNaCQPS6MFWyGJaKml bTMeDeMtwCCfvfQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: C8EEB2000C X-Stat-Signature: 8sh5zfo656pyjxr759k34apnuaojs4if X-Rspam-User: X-HE-Tag: 1695957880-992678 X-HE-Meta: U2FsdGVkX1971UaTy+0KF2Ub9svMj2DPoUDc/E+GEDSE+LQ40ZnVDHbgm5zofqK9hoz+G1ji0SyowH+a+uSE8rLijR+TlIcS87UDROX4+UXieYrDOR+zjzQ066KAV2rFXeVE8XG3X7mLTqjwU13ZzTaswpz+U/LqOpNR/I6/VgUBPEd1mComqTTzNPGDOq3mrAJuZsDLuWOQcssOA4JeyXsdXxEZVzVUqAVJ43RMT2jVWUS7EP2UvmMKHRIzS+mXdM5fkORPSjJAQc+ln8pVRE8yy/ESOQR9b2EZh5yQ5nXsjXs8MI4jA5CznGJjRENjA4VkSukCxxIgJpgsM8bp1TxRTen6G3sVFtVnxAWWXBrWSB+9C2QTXOmYdKzUIY9mdaWmhyAZuWpTIqBjvUiUTjFjL9ZLVikpRjDaqbjin1CQ+rZi1Sddmaj5htjmeLh7ZODdCOtWNZwiB6j9ENQLdR2hj8P2vIzmh2OaPnj6CsSQl0NP4SVMmYtenbqUdBbMHBsFOK9cTI0eESqKLcVSIPzRna4oCi9/kCjCrxmiizFhksXpOytwJeezmBSZq+rtfb0DAOCCDuo2lvXy+JC3dl/TrjCe56eRer54x7w6DJKk151Nj+cQmtwyPVD5/n0cFkD/EObmvdbcVtnZ0iPfnXlR3Dh4hzMoxRxtx0JqeJpFPf8UeaBbWDWGkUA9SyIppZMNe835m/F1wm9few9gMQ2zMBWms2w/yQEm76l469i22bD24aFtebuCB2G6mC4Y6hO4wMT4BLYjdneIYq2BNMhAbU8sl7EWbTsfOXMDKpzetssw2g8fzVjPPVBbbizRlGxsJtOVuLf8X6vCRCGsJ03HAulcQEE6UUEM5/PlQqrxwuw+WgGEJ+ePnG6mbN/z1viT9qgpWWJTJM4RyoTdipenlGb0qe5jgkTn707GQ/8og7M6UdNzq0pFVYX6oJK5TIGYk6VxKpnrt06mVxR EdO3gw4G O1oV8U4fOqrL+GdossWYYfkEoQMEw7wJNbItVy7zq68QtO8YQoBqS1yn7Y6JDEy/bd5KtXM9gHCngN/pz62wLz3vDUQaegFreX/AqrTmkuDc93TaagBRv+iGelPjh0X1aY7dXL2dSqLA5xo/RK0zxdwopWUXe4MmltyAlcbcFyLaU9ABv6O0HqIIzyjsOwOEYXLiQgWR/1Pks395PH4awtXVcuYDsa3oS8iI/0HTdZiNbgu7yDi4SH+RBQNnw1ecFNzW6w/BrkVup7OaaCRkHs/CevrUTWaT676qvESfPf/mn8jSE2XyaELg54Nq8j3Cn94lBD8l+d4+ozVUmq6VtDhi9nygS9u+Lw3qWXDrJBLl7LOzCu7SOKpFmztX1vnip1LcF0v6cjBBXm/dAUuEVJTunw/2vp13z0eN8dcRusXW80F75HcgeJBr0Mh4BUaOX8SjsJwarwQiBcz5tr1hrj0GO9Qao8blRfeEGAkWorcR5zNavZGqAfyzQfKJBYf337ch2DTs0BZHo2U8/IAQW9pjAcErVITIxA0HeEAy72ogj7AkTKbc5/Ty23T3Fu1weO6Nv6YFIfv+OnMNBDweOiDurk31OTXVOU1gGG7E2EP3s72uEPJDJe6RAJiKj6pRF6eCfxkEpHWNceBItkI37IWyw+7XIzRN1IJUIARS1VITSavrjUBJ4VlVstNGlckC2ddbc9KS5LJuPbjGqCHjqplCJKnCDq+hqoHZJPs5qktBvjYhrb5AukwUlOGs7JQ36BSwk/EXGVuG168Pby6xM84lxSg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Handle arbitrary memsz>filesz in interpreter ELF segments, instead of only supporting it in the last segment (which is expected to be the BSS). Cc: Eric Biederman Cc: Alexander Viro Cc: Christian Brauner Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org Reported-by: Pedro Falcato Closes: https://lore.kernel.org/lkml/20221106021657.1145519-1-pedro.falcato@gmail.com/ Signed-off-by: Kees Cook --- fs/binfmt_elf.c | 46 +--------------------------------------------- 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 0214d5a949fc..db47cb802f89 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -622,8 +622,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, struct elf_phdr *eppnt; unsigned long load_addr = 0; int load_addr_set = 0; - unsigned long last_bss = 0, elf_bss = 0; - int bss_prot = 0; unsigned long error = ~0UL; unsigned long total_size; int i; @@ -660,7 +658,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, else if (no_base && interp_elf_ex->e_type == ET_DYN) load_addr = -vaddr; - map_addr = elf_map(interpreter, load_addr + vaddr, + map_addr = elf_load(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type, total_size); total_size = 0; error = map_addr; @@ -686,51 +684,9 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, error = -ENOMEM; goto out; } - - /* - * Find the end of the file mapping for this phdr, and - * keep track of the largest address we see for this. - */ - k = load_addr + eppnt->p_vaddr + eppnt->p_filesz; - if (k > elf_bss) - elf_bss = k; - - /* - * Do the same thing for the memory mapping - between - * elf_bss and last_bss is the bss section. - */ - k = load_addr + eppnt->p_vaddr + eppnt->p_memsz; - if (k > last_bss) { - last_bss = k; - bss_prot = elf_prot; - } } } - /* - * Now fill out the bss section: first pad the last page from - * the file up to the page boundary, and zero it from elf_bss - * up to the end of the page. - */ - if (padzero(elf_bss)) { - error = -EFAULT; - goto out; - } - /* - * Next, align both the file and mem bss up to the page size, - * since this is where elf_bss was just zeroed up to, and where - * last_bss will end after the vm_brk_flags() below. - */ - elf_bss = ELF_PAGEALIGN(elf_bss); - last_bss = ELF_PAGEALIGN(last_bss); - /* Finally, if there is still more bss to allocate, do it. */ - if (last_bss > elf_bss) { - error = vm_brk_flags(elf_bss, last_bss - elf_bss, - bss_prot & PROT_EXEC ? VM_EXEC : 0); - if (error) - goto out; - } - error = load_addr; out: return error;