From: Andrew Morton <akpm00@gmail.com>
To: Josh Boyer <jwboyer@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>, Jiri Kosina <jkosina@suse.cz>,
hongjiu.lu@intel.com, linux-kernel@vger.kernel.org,
Nicolas Pitre <nico@fluxnic.net>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King <rmk@arm.linux.org.uk>
Subject: Re: [RFC PATCH] binfmt_elf: Fix PIE execution with randomization disabled
Date: Thu, 29 Sep 2011 14:19:29 -0700 [thread overview]
Message-ID: <20110929141929.43df799d.akpm00@gmail.com> (raw)
In-Reply-To: <20110929195359.GJ16720@zod.bos.redhat.com>
On Thu, 29 Sep 2011 15:53:59 -0400
Josh Boyer <jwboyer@redhat.com> wrote:
> We've had a bug report[1] of some PIE programs getting a SIGKILL upon exec
> if you disable address randomization with:
>
> echo 0 > /proc/sys/kernel/randomize_va_space
>
> I tracked this down to get_unmapped_area_prot returning -ENOMEM because
> the address being passed in is larger than TASK_SIZE - len for the bss
> section of the test executable. That filters back to set_brk returning
> an error to load_elf_binary and the SIGKILL being sent around line 872
> of binfmt_elf.c.
>
> H.J. submitted an upstream bug report [2] as well, but got no feedback
> and we can't view it with kernel.org being down anyway. He came up with
> the patch below as well, which is what I'm sending on for comments. The
> changelog is my addition, so if that is wrong yell at me.
>
> I wanted to get some more eyes on this, because the current code sets
> load_bias to 0 unconditionally on CONFIG_X86 or CONFIG_ARM. I have no
> idea why that is. The original execshield patches had an #ifdef on
> __i386__ but the patch that was commited to add PIE support has the
> CONFIG_X86 setting.
>
It appears that Nicolas understood what's going on in there when he
wrote e4eab08d6050ad0 ("ARM: 6342/1: fix ASLR of PIE executables").
Alas, that patch's changelog is rather useless.
Help?
Also, please: review and test?
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=708563
> [2] http://bugzilla.kernel.org/show_bug.cgi?id=36372
>
> josh
>
> ---
>
> From: H.J. Lu <hongjiu.lu@intel.com>
>
> Set the load_bias for PIE executables to a non-zero address if no virtual
> address is specified. This prevents us from running out of room for all
> the various loadable segments when ASLR is disabled.
>
> Signed-off-by: H.J. Lu <hongjiu.lu@intel.com>
> Signed-off-by: Josh Boyer <jwboyer@redhat.com>
>
> ---
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 303983f..069ee29 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -794,9 +794,14 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
> /* Try and get dynamic programs out of the way of the
> * default mmap base, as well as whatever program they
> * might try to exec. This is because the brk will
> - * follow the loader, and is not movable. */
> + * follow the loader, and is not movable. Don't use
> + * 0 load address since we may not have room for
> + * all loadable segements. */
> #if defined(CONFIG_X86) || defined(CONFIG_ARM)
> - load_bias = 0;
> + if (vaddr)
> + load_bias = 0;
> + else
> + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE);
> #else
> load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
> #endif
next prev parent reply other threads:[~2011-09-29 21:19 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-29 19:53 [RFC PATCH] binfmt_elf: Fix PIE execution with randomization disabled Josh Boyer
2011-09-29 21:19 ` Andrew Morton [this message]
2011-09-29 21:36 ` Lu, Hongjiu
2011-09-30 0:41 ` Nicolas Pitre
2011-09-30 2:16 ` Josh Boyer
2011-10-03 14:53 ` Jiri Kosina
2011-10-03 15:03 ` Josh Boyer
2011-10-03 15:11 ` [PATCH v2] binfmt_elf: Fix PIE execution with randomization disabled (was Re: [RFC PATCH] binfmt_elf: Fix PIE execution with randomization disabled) Jiri Kosina
2011-10-03 15:42 ` Josh Boyer
2011-10-03 15:56 ` Nicolas Pitre
2011-10-03 16:02 ` Lu, Hongjiu
2011-10-03 16:13 ` Nicolas Pitre
2011-10-03 21:14 ` Jiri Kosina
2011-10-03 22:03 ` Andrew Morton
2011-10-03 22:06 ` Jiri Kosina
2011-10-03 22:56 ` [PATCH v3] " Jiri Kosina
2011-10-08 22:35 ` [PATCH v2] " Jiri Kosina
2011-10-03 12:10 ` [RFC PATCH] binfmt_elf: Fix PIE execution with randomization disabled Jiri Kosina
2011-10-03 12:59 ` Josh Boyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110929141929.43df799d.akpm00@gmail.com \
--to=akpm00@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=hongjiu.lu@intel.com \
--cc=jkosina@suse.cz \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=nico@fluxnic.net \
--cc=nicolas.pitre@linaro.org \
--cc=rmk@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.