From: Kees Cook <keescook@chromium.org>
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Kees Cook <keescook@chromium.org>, Rich Felker <dalias@libc.org>,
Fangrui Song <maskray@google.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Eric Biederman <ebiederm@xmission.com>,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH v2] binfmt_elf: Allow .bss in any interp PT_LOAD
Date: Thu, 10 Nov 2022 22:13:20 -0800 [thread overview]
Message-ID: <20221111061315.gonna.703-kees@kernel.org> (raw)
Traditionally, only the final PT_LOAD for load_elf_interp() supported
having p_memsz > p_filesz. Recently, lld's construction of musl's
libc.so on PowerPC64 started having two PT_LOAD program headers with
p_memsz > p_filesz.
As the least invasive change possible, check for p_memsz > p_filesz for
each PT_LOAD in load_elf_interp.
Reported-by: Rich Felker <dalias@libc.org>
Link: https://maskray.me/blog/2022-11-05-lld-musl-powerpc64
Cc: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Fangrui Song <maskray@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2: I realized we need to retain the final padding call.
v1: https://lore.kernel.org/linux-hardening/20221111055747.never.202-kees@kernel.org/
---
fs/binfmt_elf.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 528e2ac8931f..0a24bbbef1d6 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -673,15 +673,25 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
last_bss = k;
bss_prot = elf_prot;
}
+
+ /*
+ * Clear any p_memsz > p_filesz area up to the end
+ * of the page to wipe anything left over from the
+ * loaded file contents.
+ */
+ if (last_bss > elf_bss && padzero(elf_bss))
+ error = -EFAULT;
+ goto out;
+ }
}
}
/*
- * Now fill out the bss section: first pad the last page from
- * the file up to the page boundary, and zero it from elf_bss
- * up to the end of the page.
+ * Finally, pad the last page from the file up to the page boundary,
+ * and zero it from elf_bss up to the end of the page, if this did
+ * not already happen with the last PT_LOAD.
*/
- if (padzero(elf_bss)) {
+ if (last_bss == elf_bss && padzero(elf_bss)) {
error = -EFAULT;
goto out;
}
--
2.34.1
next reply other threads:[~2022-11-11 6:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-11 6:13 Kees Cook [this message]
2022-11-11 7:42 ` [PATCH v2] binfmt_elf: Allow .bss in any interp PT_LOAD Fangrui Song
2022-11-11 20:13 ` Kees Cook
2022-11-11 20:27 ` Fangrui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221111061315.gonna.703-kees@kernel.org \
--to=keescook@chromium.org \
--cc=dalias@libc.org \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maskray@google.com \
--cc=pedro.falcato@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.