[PATCH] VFS: fix passing of AT_PHDR value in auxv to ELF interpreter

[Quentin Godfroy <godfroy@clipper.ens.fr>]

On a dynamic ELF executable, the current kernel loader gives to the
interpreter (in the AUXV vector) the AT_PHDR argument as :
offset_of_phdr_in_file + first address.

It can be wrong for an executable where the program headers are not located 
in the first loaded segment.

An example of such a binary on x86 can be found on

http://www.eleves.ens.fr/~godfroy/sample_code_32

The following patch corrects the behaviour. It applies cleanly on 2.6.26.2
(probably 2.6.26.3 too), and was tested on debian x86_64 (both ELF32 and
ELF64) as well as on x86. Normal executables, static and PIE continue to
work.

Signed-off-by: Quentin Godfroy <godfroy@clipper.ens.fr>
---
diff -ruNp linux-2.6.26.2/fs/binfmt_elf.c linux-2.6.26.2-patch/fs/binfmt_elf.c
--- linux-2.6.26.2/fs/binfmt_elf.c	2008-08-06 18:19:01.000000000 +0200
+++ linux-2.6.26.2-patch/fs/binfmt_elf.c	2008-08-09 02:39:03.033179733 +0200
@@ -133,7 +133,7 @@ static int padzero(unsigned long elf_bss
 
 static int
 create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
-		unsigned long load_addr, unsigned long interp_load_addr)
+		unsigned long phdr_addr, unsigned long interp_load_addr)
 {
 	unsigned long p = bprm->p;
 	int argc = bprm->argc;
@@ -193,7 +193,7 @@ create_elf_tables(struct linux_binprm *b
 	NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
 	NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
 	NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
-	NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);
+	NEW_AUX_ENT(AT_PHDR, phdr_addr);
 	NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
 	NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
 	NEW_AUX_ENT(AT_BASE, interp_load_addr);
@@ -529,7 +529,7 @@ static unsigned long randomize_stack_top
 static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
 {
 	struct file *interpreter = NULL; /* to shut gcc up */
- 	unsigned long load_addr = 0, load_bias = 0;
+ 	unsigned long load_addr = 0, load_bias = 0, phdr_addr = 0;
 	int load_addr_set = 0;
 	char * elf_interpreter = NULL;
 	unsigned long error;
@@ -685,14 +685,19 @@ static int load_elf_binary(struct linux_
 	}
 
 	elf_ppnt = elf_phdata;
-	for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++)
+	for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
+		if (elf_ppnt->p_type == PT_PHDR) {
+			phdr_addr = elf_ppnt->p_vaddr;
+			continue;
+		}
 		if (elf_ppnt->p_type == PT_GNU_STACK) {
 			if (elf_ppnt->p_flags & PF_X)
 				executable_stack = EXSTACK_ENABLE_X;
 			else
 				executable_stack = EXSTACK_DISABLE_X;
-			break;
+			continue;
 		}
+	}
 
 	/* Some simple consistency checks for the interpreter */
 	if (elf_interpreter) {
@@ -861,6 +866,10 @@ static int load_elf_binary(struct linux_
 	end_code += load_bias;
 	start_data += load_bias;
 	end_data += load_bias;
+	if (phdr_addr)
+		phdr_addr += load_bias;
+	else
+		phdr_addr = load_addr + loc->elf_ex.e_phoff;
 
 	/* Calling set_brk effectively mmaps the pages that we need
 	 * for the bss and break sections.  We must do this before
@@ -930,7 +939,7 @@ static int load_elf_binary(struct linux_
 	compute_creds(bprm);
 	current->flags &= ~PF_FORKNOEXEC;
 	retval = create_elf_tables(bprm, &loc->elf_ex,
-			  load_addr, interp_load_addr);
+			  phdr_addr, interp_load_addr);
 	if (retval < 0) {
 		send_sig(SIGKILL, current, 0);
 		goto out;