Re: Question about binfmt_elf.c

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Morton <akpm@linux-foundation.org>
To: Rob Landley <rob@landley.net>
Cc: linux-kernel@vger.kernel.org, Jakub Jelinek <jakub@redhat.com>,
	Roland McGrath <roland@redhat.com>
Subject: Re: Question about binfmt_elf.c
Date: Wed, 21 Jul 2010 16:30:59 -0700	[thread overview]
Message-ID: <20100721163059.ffc5e70d.akpm@linux-foundation.org> (raw)
In-Reply-To: <201007161512.40388.rob@landley.net>

On Fri, 16 Jul 2010 15:12:39 -0500
Rob Landley <rob@landley.net> wrote:

> Could somebody please update this comment to explain why fiddling with 
> strangely protected bss is _not_ an easy way to leak arbitrary amounts of 
> uninitalized kernel memory (with whatever previous contents they have) to 
> userspace?
> 
>     nbyte = ELF_PAGEOFFSET(elf_bss);
>     if (nbyte) {
>             nbyte = ELF_MIN_ALIGN - nbyte;
>             if (nbyte > elf_brk - elf_bss)
>                         nbyte = elf_brk - elf_bss;
>             if (clear_user((void __user *)elf_bss +
>                                     load_bias, nbyte)) {
>                     /*
>                      * This bss-zeroing can fail if the ELF
>                      * file specifies odd protections. So
>                      * we don't check the return value
>                       */
>             }
>     }
> 
> Just curious.  Reading through the code and trying to understand it...
> 

In January 2005 davem added a check.  In Feb 2005 Pavel said "hey, my
Kylix application broke".  So we took the check out again.

http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg60120.html
http://www.mail-archive.com/bk-commits-head@vger.kernel.org/msg01390.html

I don't kow how one would craft such an elf file.  I don't _think_ it
could leak unintialised memory, as we probably haven't faulted the page
in yet.  Perhaps a partial page could be exposed though.

Roland, Jakub: help!

next prev parent reply	other threads:[~2010-07-21 23:31 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-16 20:12 Question about binfmt_elf.c Rob Landley
2010-07-21 23:30 ` Andrew Morton [this message]
2010-07-22  1:38   ` Roland McGrath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100721163059.ffc5e70d.akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=jakub@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rob@landley.net \
    --cc=roland@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.