Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Chen Jingwen <chenjingwen6@huawei.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Michal Hocko <mhocko@suse.com>, Andrei Vagin <avagin@openvz.org>,
	Khalid Aziz <khalid.aziz@oracle.com>,
	Michael Ellerman <mpe@ellerman.id.au>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
Date: Mon, 4 Oct 2021 13:00:07 -0700	[thread overview]
Message-ID: <202110041255.83A6616D9@keescook> (raw)
In-Reply-To: <20210928125657.153293-1-chenjingwen6@huawei.com>

On Tue, Sep 28, 2021 at 08:56:57PM +0800, Chen Jingwen wrote:
> In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings")
> we still leave MAP_FIXED_NOREPLACE in place for load_elf_interp.
> Unfortunately, this will cause kernel to fail to start with
> 
> [    2.384321] 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
> [    2.386240] Failed to execute /init (error -17)
> 

I guess you mean "init" fails to start (but yes, same result).

> The reason is that the elf interpreter (ld.so) has overlapping segments.

Ewww. What toolchain generated this (and what caused it to just start
happening)? (This was added in v4.17; it's been 3 years.)

> 
> readelf -l ld-2.31.so
> Program Headers:
>   Type           Offset             VirtAddr           PhysAddr
>                  FileSiz            MemSiz              Flags  Align
>   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
>                  0x000000000002c94c 0x000000000002c94c  R E    0x10000
>   LOAD           0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
>                  0x00000000000021e8 0x0000000000002320  RW     0x10000
>   LOAD           0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
>                  0x00000000000011ac 0x0000000000001328  RW     0x10000
> 
> The reason for this problem is the same as described in
> commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
> Not only executable binaries, elf interpreters (e.g. ld.so) can have
> overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
> back to MAP_FIXED in load_elf_interp.

We could also just expand the logic that fixed[1] this for ELF, yes?

Andrew, are you able to pick up [1], BTW? It seems to have fallen
through the cracks.

[1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u

> 
> Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
> Cc: <stable@vger.kernel.org> # v4.19
> Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
> ---
>  fs/binfmt_elf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 69d900a8473d..a813b70f594e 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -630,7 +630,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
>  
>  			vaddr = eppnt->p_vaddr;
>  			if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
> -				elf_type |= MAP_FIXED_NOREPLACE;
> +				elf_type |= MAP_FIXED;
>  			else if (no_base && interp_elf_ex->e_type == ET_DYN)
>  				load_addr = -vaddr;


-- 
Kees Cook

next prev parent reply	other threads:[~2021-10-04 20:00 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-28 12:56 [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings Chen Jingwen
2021-09-28 22:21 ` Andrew Morton
2021-10-04 20:00 ` Kees Cook [this message]
2021-10-05 23:12   ` Andrew Morton
2021-10-05 23:27     ` Kees Cook
2021-10-18  6:51   ` ChenJingwen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202110041255.83A6616D9@keescook \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=avagin@openvz.org \
    --cc=chenjingwen6@huawei.com \
    --cc=khalid.aziz@oracle.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@suse.com \
    --cc=mpe@ellerman.id.au \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.