From patchwork Sat Sep 28 23:32:24 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Geyslan G. Bem" X-Patchwork-Id: 2959461 Return-Path: X-Original-To: patchwork-v9fs-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id E6EC39F288 for ; Sat, 28 Sep 2013 23:37:23 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F2A1D2024F for ; Sat, 28 Sep 2013 23:37:22 +0000 (UTC) Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CC14120200 for ; Sat, 28 Sep 2013 23:37:21 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VQ44d-0005G5-Hz; Sat, 28 Sep 2013 23:37:19 +0000 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VQ44c-0005Fp-95 for v9fs-developer@lists.sourceforge.net; Sat, 28 Sep 2013 23:37:18 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.216.54 as permitted sender) client-ip=209.85.216.54; envelope-from=geyslan@gmail.com; helo=mail-qa0-f54.google.com; Received: from mail-qa0-f54.google.com ([209.85.216.54]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1VQ44a-0001Oi-Ij for v9fs-developer@lists.sourceforge.net; Sat, 28 Sep 2013 23:37:18 +0000 Received: by mail-qa0-f54.google.com with SMTP id bv4so1419147qab.13 for ; Sat, 28 Sep 2013 16:37:11 -0700 (PDT) X-Received: by 10.224.171.196 with SMTP id i4mr4412285qaz.38.1380411431129; Sat, 28 Sep 2013 16:37:11 -0700 (PDT) Received: from localhost.localdomain (189-48-112-205.user.veloxzone.com.br. [189.48.112.205]) by mx.google.com with ESMTPSA id 5sm34534915qao.3.1969.12.31.16.00.00 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 28 Sep 2013 16:37:10 -0700 (PDT) From: "Geyslan G. Bem" To: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net Date: Sat, 28 Sep 2013 20:32:24 -0300 Message-Id: <1380411144-9236-12-git-send-email-geyslan@gmail.com> X-Mailer: git-send-email 1.8.4 In-Reply-To: <1380411144-9236-1-git-send-email-geyslan@gmail.com> References: <1380411144-9236-1-git-send-email-geyslan@gmail.com> X-Spam-Score: -1.6 (-) X-Headers-End: 1VQ44a-0001Oi-Ij Cc: v9fs-developer@lists.sourceforge.net, "Geyslan G. Bem" , linux-kernel@vger.kernel.org Subject: [V9fs-developer] [PATCH v3 2/2] ia32_aout: x86_64: Add safe check in a.out loaders, printks, conding style fixes X-BeenThere: v9fs-developer@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: v9fs-developer-bounces@lists.sourceforge.net X-Spam-Status: No, score=-9.3 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP ia32_aout had no safe checks concerning the mmap and f_op in this module. It's not necessary to verify f_op in the load_aout_library, since the prior kernel_read/vfs_read function already does. Made coding style fixes and printks replacements. Tested using qemu, a handcrafted a.out binary and an a.out linked with a cross-compiled ld. Signed-off-by: Geyslan G. Bem --- arch/x86/ia32/ia32_aout.c | 63 +++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c index bae3aba..87d5114 100644 --- a/arch/x86/ia32/ia32_aout.c +++ b/arch/x86/ia32/ia32_aout.c @@ -24,9 +24,9 @@ #include #include #include -#include +#include +#include -#include #include #include #include @@ -224,9 +224,9 @@ static u32 __user *create_aout_tables(char __user *p, struct linux_binprm *bprm) int argc = bprm->argc, envc = bprm->envc; sp = (u32 __user *) ((-(unsigned long)sizeof(u32)) & (unsigned long) p); - sp -= envc+1; + sp -= envc + 1; envp = sp; - sp -= argc+1; + sp -= argc + 1; argv = sp; put_user((unsigned long) envp, --sp); put_user((unsigned long) argv, --sp); @@ -271,10 +271,17 @@ static int load_aout_binary(struct linux_binprm *bprm) N_MAGIC(ex) != QMAGIC && N_MAGIC(ex) != NMAGIC) || N_TRSIZE(ex) || N_DRSIZE(ex) || i_size_read(file_inode(bprm->file)) < - ex.a_text+ex.a_data+N_SYMSIZE(ex)+N_TXTOFF(ex)) { + ex.a_text + ex.a_data + N_SYMSIZE(ex) + N_TXTOFF(ex)) { return -ENOEXEC; } + /* + * Requires a mmap handler. This prevents people from using a.out + * as part of an exploit attack against /proc-related vulnerabilities. + */ + if (!bprm->file->f_op || !bprm->file->f_op->mmap) + return -ENOEXEC; + fd_offset = N_TXTOFF(ex); /* Check initial limits. This avoids letting people circumvent @@ -322,7 +329,7 @@ static int load_aout_binary(struct linux_binprm *bprm) unsigned long text_addr, map_size; text_addr = N_TXTADDR(ex); - map_size = ex.a_text+ex.a_data; + map_size = ex.a_text + ex.a_data; error = vm_brk(text_addr & PAGE_MASK, map_size); @@ -339,28 +346,19 @@ static int load_aout_binary(struct linux_binprm *bprm) } } else { #ifdef WARN_OLD - static unsigned long error_time, error_time2; if ((ex.a_text & 0xfff || ex.a_data & 0xfff) && - (N_MAGIC(ex) != NMAGIC) && - time_after(jiffies, error_time2 + 5*HZ)) { - printk(KERN_NOTICE "executable not page aligned\n"); - error_time2 = jiffies; - } + (N_MAGIC(ex) != NMAGIC)) + pr_notice_ratelimited("executable not page aligned\n"); - if ((fd_offset & ~PAGE_MASK) != 0 && - time_after(jiffies, error_time + 5*HZ)) { - printk(KERN_WARNING - "fd_offset is not page aligned. Please convert " - "program: %s\n", - bprm->file->f_path.dentry->d_name.name); - error_time = jiffies; - } + if ((fd_offset & ~PAGE_MASK) != 0) + pr_warn_ratelimited("fd_offset is not page aligned. Please convert program: %s\n", + bprm->file->f_path.dentry->d_name.name); #endif - if (!bprm->file->f_op->mmap || (fd_offset & ~PAGE_MASK) != 0) { - vm_brk(N_TXTADDR(ex), ex.a_text+ex.a_data); + if ((fd_offset & ~PAGE_MASK) != 0) { + vm_brk(N_TXTADDR(ex), ex.a_text + ex.a_data); read_code(bprm->file, N_TXTADDR(ex), fd_offset, - ex.a_text+ex.a_data); + ex.a_text + ex.a_data); goto beyond_if; } @@ -424,10 +422,17 @@ static int load_aout_library(struct file *file) if ((N_MAGIC(ex) != ZMAGIC && N_MAGIC(ex) != QMAGIC) || N_TRSIZE(ex) || N_DRSIZE(ex) || ((ex.a_entry & 0xfff) && N_MAGIC(ex) == ZMAGIC) || i_size_read(file_inode(file)) < - ex.a_text+ex.a_data+N_SYMSIZE(ex)+N_TXTOFF(ex)) { + ex.a_text + ex.a_data + N_SYMSIZE(ex) + N_TXTOFF(ex)) { goto out; } + /* + * Requires a mmap handler. This prevents people from using a.out + * as part of an exploit attack against /proc-related vulnerabilities. + */ + if (!file->f_op->mmap) + goto out; + if (N_FLAGS(ex)) goto out; @@ -438,14 +443,8 @@ static int load_aout_library(struct file *file) if ((N_TXTOFF(ex) & ~PAGE_MASK) != 0) { #ifdef WARN_OLD - static unsigned long error_time; - if (time_after(jiffies, error_time + 5*HZ)) { - printk(KERN_WARNING - "N_TXTOFF is not page aligned. Please convert " - "library: %s\n", - file->f_path.dentry->d_name.name); - error_time = jiffies; - } + pr_warn_ratelimited("N_TXTOFF is not page aligned. Please convert library: %s\n", + file->f_path.dentry->d_name.name); #endif vm_brk(start_addr, ex.a_text + ex.a_data + ex.a_bss);