From: Kees Cook <keescook@chromium.org>
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Kees Cook <keescook@chromium.org>, Rich Felker <dalias@libc.org>,
Fangrui Song <maskray@google.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Eric Biederman <ebiederm@xmission.com>,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH] binfmt_elf: Allow .bss in any interp PT_LOAD
Date: Thu, 10 Nov 2022 21:57:54 -0800 [thread overview]
Message-ID: <20221111055747.never.202-kees@kernel.org> (raw)
Traditionally, only the final PT_LOAD for load_elf_interp() supported
having p_memsz > p_filesz. Recently, lld's construction of musl's
libc.so on PowerPC64 started having two PT_LOAD program headers with
p_memsz > p_filesz.
As the least invasive change possible, check for p_memsz > p_filesz for
each PT_LOAD in load_elf_interp.
Reported-by: Rich Felker <dalias@libc.org>
Link: https://maskray.me/blog/2022-11-05-lld-musl-powerpc64
Cc: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Fangrui Song <maskray@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Rich, Pedro, and Fangrui, are you able to test this change? I haven't
constructed a trivial reproducer yet (though it would be nice to have
a self-contained test-case).
---
fs/binfmt_elf.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 528e2ac8931f..3f07945ff085 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -673,18 +673,19 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
last_bss = k;
bss_prot = elf_prot;
}
+
+ /*
+ * Now fill out any zeroed region (e.g. .bss): first pad the
+ * last page from the file up to the page boundary, and zero
+ * it from elf_bss up to the end of the page.
+ */
+ if (last_bss > elf_bss && padzero(elf_bss)) {
+ error = -EFAULT;
+ goto out;
+ }
}
}
- /*
- * Now fill out the bss section: first pad the last page from
- * the file up to the page boundary, and zero it from elf_bss
- * up to the end of the page.
- */
- if (padzero(elf_bss)) {
- error = -EFAULT;
- goto out;
- }
/*
* Next, align both the file and mem bss up to the page size,
* since this is where elf_bss was just zeroed up to, and where
--
2.34.1
reply other threads:[~2022-11-11 5:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221111055747.never.202-kees@kernel.org \
--to=keescook@chromium.org \
--cc=dalias@libc.org \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maskray@google.com \
--cc=pedro.falcato@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.