From patchwork Fri Jun 21 18:54:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Dobriyan X-Patchwork-Id: 13708007 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AA7BC27C4F for ; Fri, 21 Jun 2024 18:54:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 975DC8D0191; Fri, 21 Jun 2024 14:54:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 925C88D0190; Fri, 21 Jun 2024 14:54:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7C6268D0191; Fri, 21 Jun 2024 14:54:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 5CF598D0190 for ; Fri, 21 Jun 2024 14:54:56 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 07DF2121185 for ; Fri, 21 Jun 2024 18:54:56 +0000 (UTC) X-FDA: 82255797792.12.867DDE8 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) by imf14.hostedemail.com (Postfix) with ESMTP id 2838610000A for ; Fri, 21 Jun 2024 18:54:53 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=B2V+EnJA; spf=pass (imf14.hostedemail.com: domain of adobriyan@gmail.com designates 209.85.167.51 as permitted sender) smtp.mailfrom=adobriyan@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718996080; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=lyqC06Vh0EYg26nHAQaeApBBTUbal6sAGqlLXIIM1Eo=; b=VuRna/m6xsoKDadLt4BuKA+PwayzNyxnK1SMCBs/fWvBpulVxjMWo/3ADWcLD2fz3UhhCC qLc5LtnggCHXRIe3zBQCLqgVqxKN/ulkQD5CjQeo16Bq8HjgkMNkBomDJ7BLAvXGh6X1cW GfjIhStY2jFf6VkXXxn9byLK/jjBEag= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=B2V+EnJA; spf=pass (imf14.hostedemail.com: domain of adobriyan@gmail.com designates 209.85.167.51 as permitted sender) smtp.mailfrom=adobriyan@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718996080; a=rsa-sha256; cv=none; b=ZGTvzP1u7uD5h3ck8Ni3RG/he5oLgtJ7bbNe9zd8C9AIfXJdB2B/z4ufo6gdUoi+L9vGdU 47PbcLik44MugtbApFXp0R6iMSbwQeIcB5iNgaBBQHsHFA/fZZ/6fbGO57eRv8htzbsm0k pIrsZ7+LpzaQAyIZC2/Wp1OIcoLIolc= Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-52caebc6137so2582351e87.0 for ; Fri, 21 Jun 2024 11:54:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718996092; x=1719600892; darn=kvack.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=lyqC06Vh0EYg26nHAQaeApBBTUbal6sAGqlLXIIM1Eo=; b=B2V+EnJAYcpA3czVJmOoSAoxFiFIzr3XzvB+kBa1AwkrcXy6R/qEZZt/rR8JOpRY/i XmXNZFfbz+LicKWcHXa/e4ATa1V+VW0/j6mdXZv12gKZu6YTP1O/iv+2DekOpXvQxV8g dDoyboTNYlAxNwo6G7WPGxuyYBb5zYLhtY2cmgnaq0zsIGnaNV+GdlcuCIT5Ezp/0Rre 04lWUUyFnpoUD6LlbdCJseJg1ivimlllWhtWHCTnGo/qoLHdEZ+XfKsBiRpF8oRYbfKr iwiShStxIGYTdXshoSfw2qsU7VO7d8m7Z84Mqlu6bRBtlNbA8dXPJVX46MBQr4nLRvj6 mlhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718996092; x=1719600892; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lyqC06Vh0EYg26nHAQaeApBBTUbal6sAGqlLXIIM1Eo=; b=igh0DHmv5DlOw4dyksId9zbs4kHNvt3QyJ1sj/7A9d+sw5xzqSOZCpT5r3+HqJC8QO Y7SM9QC648f5sAYtdo1iIbsx6jvyUmCynfGjrctGwsb1s4SGwpaGlNuiaxziFXwBufRw Uds9SldPmDen1LQPyB0PeH1ATf1PtaY3k8G7uORYyT6/DOlAb01C4nUIxFxptf8WYLZp 8ghvJkWuSbggeXo4GKMCLoFG+lKeeRhAp0GqpILfrWQL1Q4Np7cKdk66iYWJt4tSmlgf 7FgW0lola/pnyw2kHTMEp4kvmHxpY6OBJQyakGSYJV8mY+H13D2CDoX5ryw+edy3YI7Q HdyQ== X-Forwarded-Encrypted: i=1; AJvYcCUiyuGFtbw5PzRBU11thu/gRWNHEI4u61OwvnPFvANWir/RW8oEt5iFqZE1u1G5VnzfixH9//83GaCeYEH5oC5rt/w= X-Gm-Message-State: AOJu0YxBNoLz9JjKxUnYX1+rScvcZ84jGhJf7U/b6qDwAJz0xb5VpHEt rc3HTD2zNdc4XEdHlY+vjEYSla23YZ9nWqQldHiJ5edVh5zykMg= X-Google-Smtp-Source: AGHT+IGO3w51n4SoCZschdybkDyWkJJCUQM2g9kbc3Bm5J+AUw9OWnStcrfbSd+cBj6Bp0jMK5cUSA== X-Received: by 2002:a05:6512:3441:b0:52c:dc70:ebf8 with SMTP id 2adb3069b0e04-52cdc70ef1emr503637e87.19.1718996092259; Fri, 21 Jun 2024 11:54:52 -0700 (PDT) Received: from p183 ([46.53.254.81]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-57d303da3cbsm1277429a12.16.2024.06.21.11.54.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Jun 2024 11:54:51 -0700 (PDT) Date: Fri, 21 Jun 2024 21:54:50 +0300 From: Alexey Dobriyan To: Eric Biederman , Kees Cook Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, akpm@linux-foundation.org Subject: [PATCH] ELF: fix kernel.randomize_va_space double read Message-ID: <3329905c-7eb8-400a-8f0a-d87cff979b5b@p183> MIME-Version: 1.0 Content-Disposition: inline X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 2838610000A X-Stat-Signature: npj7j8qiimmzdbtoirdcnjraxotnx64n X-Rspam-User: X-HE-Tag: 1718996093-177263 X-HE-Meta: U2FsdGVkX18Vb8gc6COPS4G9IadSkADswi7K53wGe5Ea6+saiNwZblkj4Jchf5WXrQA+0RaFd9Bduz7n2IipLC4MGvZNK5DE4p/gKR9Jqmf+ptbDYT82ZW53PnKZZFiGszpPa9vg4b9BOX87cbQEDQJQ+YTyl3k4hkwpKHWoGKG0eKOUT6TvVThez80sNDRBsM52kxb9bm41/6/1zqqNNXBfW5oEuUdINOVsgvLlKsiR97qPhM6iL6lUQAe115JwwpUFBv+CvsEQcj7Xk6jbRf8FupTvtDsUAcHxaPdat4fhe20uEcl55GOlgXrTLNBS5y/E3LdpIvhfDMqVWd0Ck7yWShiNVx3iRzA26i3o3KBCE+5lKJpNhM7TwsvZrk2xQsoeIEbpN51osY5/uRbtyFnRxFMzxbK4Ok6wtzmU0GcAYUcxHx4siWMBJ6XNClnZ/XAplZp+SaD5V8axmixVCxE2gQIJUwXkwDt8s3ggrTx3+a/kI2u7CtYISKE/a0aJHvBXef8PfOE08SteSIusuGmnm2EwkzezFldfvTX24Bi1qq+/uoZ18OC14MilbVXxmiZ6aEHJSvW3RnDPMdaISUga47hBQ5ok9YD9Qc6m0UtxKTqgXOX0ym2bTMdI4fECl7XptVzNWGz8yjz52mdt74uMYq5yYtjSJBv+u8SHj+V7WcU1vUDAVjt6lyL+8h6g/68vJTCMUz2G5w1fwAn+nfj7QHuFvW5Hjhu13c6Tij9eYRuRahYt0J4TP21vQH3NzCA5wkoLMEm0dBnvbc3lnxGZyvkJJv9KtvRHllLelU5rPLm+hoG7reDppcWkFE7aMjzElc6NY07yPaiifxnU7rlM3ybBvFX5BN7uWBlgUKSJtXAGV94/jvt+Nj+AP2EWV3dqu6VOwT6D6UN4oK63+hsc7DsX+WklddjAXbccJhx8BlmLjxzlGzPwrQk+62zb3RDP5Ys8JfqakyKnxI2 +9mrOA08 8c3siO21j27uIemwjDrFqgYnUMnyQVZ+tXhDeB/8ld4Wmw6v9HjRh8Hb6v9kiVWfKix87yCX02p3woWbz/c8tHSq52XIVtrEOah9RGpr42JpzrN2h/KZ+wCyQveNDcbuna0b461cBTVsxO31S+TcEltYTjTKSLUPC905n1Rcla5dQU4oNKxuAJ5AdLbp4VbKM7kb0fNbU51nGR6dnWp+bpj1pZj/+omhH8Vft/wyYclBhRsZv2SQzT7BZbJkGX17dk4qxKqtf4NH13V/ylmY1y37PvhD3BAeFmYIxzyHK4O1A4EPVviTbo+pJwM60Om3OcqlLa0f/s2bJIL/uN9yyMPVKU6BsNfa28YDAMES2DwaV3ZIvfSu3axsg8p8hkknt7z4famxnDu6wgfL1ZeoTQtSemrl2HhT28VFo7qYtFYyyPoBL1mo5FevwkA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000038, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1003,7 +1003,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1251,7 +1252,7 @@ static int load_elf_binary(struct linux_binprm *bprm) mm->end_data = end_data; mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF