a.out issue

a.out issue

[Florian Heinz]

Hi ppl,

there seems to be a bug related to a.out-binfmt.

try executing this binary:
perl -e'print"\x07\x01".("\x00"x13)."\xc0".("\x00"x16)'>eout
(it may be neccessary to turn memory overcommit on before)

This should result in a kernel-oops.
Doing this in a loop will eat fd's and memory.

seems like find_vma_prepare does not what insert_vm_struct expects when
the whole addresspace is occupied.

Re: a.out issue

[Ed Schouten]

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]

Hello Florian,

On Thu 11 Nov 2004 11:09 PM, Florian Heinz wrote:
> try executing this binary:
> perl -e'print"\x07\x01".("\x00"x13)."\xc0".("\x00"x16)'>eout
> (it may be neccessary to turn memory overcommit on before)
> 
> This should result in a kernel-oops.
> Doing this in a loop will eat fd's and memory.

No oops over here:

Linux penguin 2.6.9 #1 SMP Wed Oct 20 16:11:52 CEST 2004 i686 AMD Athlon(tm) MP 2200+ AuthenticAMD GNU/Linux

Yours sincerely,
-- 
 Ed Schouten <ed@il.fontys.nl>
 Website: http://g-rave.nl/
 GPG key: finger ed@il.fontys.nl

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: a.out issue

[Ed Schouten]

[-- Attachment #1: Type: text/plain, Size: 298 bytes --]

On Thu 11 Nov 2004 11:09 PM, Florian Heinz wrote:
> (it may be neccessary to turn memory overcommit on before)

Hehe, second check:
You do need to turn memory overcommit on before ;)

Yours,
-- 
 Ed Schouten <ed@il.fontys.nl>
 Website: http://g-rave.nl/
 GPG key: finger ed@il.fontys.nl

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: a.out issue

[Chris Wright]

* Florian Heinz (heinz@cronon-ag.de) wrote:
> there seems to be a bug related to a.out-binfmt.
> 
> try executing this binary:
> perl -e'print"\x07\x01".("\x00"x13)."\xc0".("\x00"x16)'>eout
> (it may be neccessary to turn memory overcommit on before)
> 
> This should result in a kernel-oops.

No oops here.  What kernel version?  Can you post your oops?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Re: a.out issue

[Ed Schouten]

[-- Attachment #1: Type: text/plain, Size: 338 bytes --]

On Thu 11 Nov 2004 02:32 PM, Chris Wright wrote:
> No oops here.  What kernel version?  Can you post your oops?

Just rebooted the box because it was dying slowly :D

Have you set:

sysctl -w vm.overcommit_memory=1

?

Yours,
-- 
 Ed Schouten <ed@il.fontys.nl>
 Website: http://g-rave.nl/
 GPG key: finger ed@il.fontys.nl

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: a.out issue

[Chris Wright]

* Ed Schouten (ed@il.fontys.nl) wrote:
> Have you set:
> 
> sysctl -w vm.overcommit_memory=1

I actually set it to 2, now with 1 it's Oopsing.  Thanks.
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Re: a.out issue

[Kurt Wall]

On Thu, Nov 11, 2004 at 11:09:07PM +0100, Florian Heinz took 20 lines to write:
> Hi ppl,
> 
> there seems to be a bug related to a.out-binfmt.
> 
> try executing this binary:
> perl -e'print"\x07\x01".("\x00"x13)."\xc0".("\x00"x16)'>eout
> (it may be neccessary to turn memory overcommit on before)
> 
> This should result in a kernel-oops.
> Doing this in a loop will eat fd's and memory.
> 
> seems like find_vma_prepare does not what insert_vm_struct expects when
> the whole addresspace is occupied.

No oops over here, with overcommit set to 0, 1, or 2.
$ uname -a
Linux luther 2.6.9 #12 Sun Oct 31 07:43:57 EST 2004 i686 unknown unknown
GNU/Linux

Kurt
-- 
Keep Cool, but Don't Freeze
	- Hellman's Mayonnaise

Re: a.out issue

[Chris Wright]

* Florian Heinz (heinz@cronon-ag.de) wrote:
> seems like find_vma_prepare does not what insert_vm_struct expects when
> the whole addresspace is occupied.

The setup_arg_pages() is inserting an overlapping region.  If nothing
else, this will fix that problem.   Perhaps there's a better solution.

thanks,
-chris

===== fs/exec.c 1.143 vs edited =====
--- 1.143/fs/exec.c	2004-10-28 00:40:03 -07:00
+++ edited/fs/exec.c	2004-11-11 19:24:54 -08:00
@@ -413,6 +413,7 @@
 
 	down_write(&mm->mmap_sem);
 	{
+		struct vm_area_struct *vma;
 		mpnt->vm_mm = mm;
 #ifdef CONFIG_STACK_GROWSUP
 		mpnt->vm_start = stack_base;
@@ -433,6 +434,12 @@
 			mpnt->vm_flags = VM_STACK_FLAGS;
 		mpnt->vm_flags |= mm->def_flags;
 		mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7];
+		vma = find_vma(mm, mpnt->vm_start);
+		if (vma) {
+			up_write(&mm->mmap_sem);
+			kmem_cache_free(vm_area_cachep, mpnt);
+			return -ENOMEM;
+		}
 		insert_vm_struct(mm, mpnt);
 		mm->stack_vm = mm->total_vm = vma_pages(mpnt);
 	}

Re: a.out issue

[Kurt Wall]

On Thu, Nov 11, 2004 at 07:27:27PM -0800, Chris Wright took 39 lines to write:
> * Florian Heinz (heinz@cronon-ag.de) wrote:
> > seems like find_vma_prepare does not what insert_vm_struct expects when
> > the whole addresspace is occupied.
> 
> The setup_arg_pages() is inserting an overlapping region.  If nothing
> else, this will fix that problem.   Perhaps there's a better solution.

It solves the oops here (I didn't get the oops at first because I didn't
have CONFIG_BINFMT_AOUT set). Sort of. Now I just get "Killed" with
vm.overcommit_memory set to 1; with it set to 0 I get a seg fault.

Kurt
-- 
Let He who taketh the Plunge Remember to return it by Tuesday.

Re: a.out issue

[Chris Wright]

* Kurt Wall (kwall@kurtwerks.com) wrote:
> On Thu, Nov 11, 2004 at 07:27:27PM -0800, Chris Wright took 39 lines to write:
> > * Florian Heinz (heinz@cronon-ag.de) wrote:
> > > seems like find_vma_prepare does not what insert_vm_struct expects when
> > > the whole addresspace is occupied.
> > 
> > The setup_arg_pages() is inserting an overlapping region.  If nothing
> > else, this will fix that problem.   Perhaps there's a better solution.
> 
> It solves the oops here (I didn't get the oops at first because I didn't
> have CONFIG_BINFMT_AOUT set).

Heh, you're better off with it config'd off ;-)

> Sort of. Now I just get "Killed" with
> vm.overcommit_memory set to 1; with it set to 0 I get a seg fault.

Yeah, it should generate a SIGKILL and terminate the program.  Thanks for
testing.  The patch below should fixup that segfault as well.

-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net


===== fs/binfmt_aout.c 1.25 vs edited =====
--- 1.25/fs/binfmt_aout.c	2004-10-18 22:26:36 -07:00
+++ edited/fs/binfmt_aout.c	2004-11-11 22:28:58 -08:00
@@ -43,13 +43,18 @@
 	.min_coredump	= PAGE_SIZE
 };
 
-static void set_brk(unsigned long start, unsigned long end)
+#define BAD_ADDR(x)	((unsigned long)(x) >= TASK_SIZE)
+
+static int set_brk(unsigned long start, unsigned long end)
 {
 	start = PAGE_ALIGN(start);
 	end = PAGE_ALIGN(end);
-	if (end <= start)
-		return;
-	do_brk(start, end - start);
+	if (end > start) {
+		unsigned long addr = do_brk(start, end - start);
+		if (BAD_ADDR(addr))
+			return addr;
+	}
+	return 0;
 }
 
 /*
@@ -413,7 +418,11 @@
 beyond_if:
 	set_binfmt(&aout_format);
 
-	set_brk(current->mm->start_brk, current->mm->brk);
+	retval = set_brk(current->mm->start_brk, current->mm->brk);
+	if (retval < 0) {
+		send_sig(SIGKILL, current, 0);
+		return retval;
+	}
 
 	retval = setup_arg_pages(bprm, EXSTACK_DEFAULT);
 	if (retval < 0) {