[PATCH 1/1] Additional strict check on ELF file. Checks segments are followed in order of 'p_vaddr ' value ascending. It fixes erorr in total_mapping_size with computation total size. This error happens if segments in ELF file are not in order.

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Ilya Smith <blackzert@gmail.com>
To: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Ilya Smith <blackzert@gmail.com>
Subject: [PATCH 1/1] Additional strict check on ELF file. Checks segments are followed in order of 'p_vaddr ' value ascending. It fixes erorr in total_mapping_size with computation total size. This error happens if segments in ELF file are not in order.
Date: Mon, 26 Feb 2018 18:46:59 +0300	[thread overview]
Message-ID: <20180226154659.10218-2-blackzert@gmail.com> (raw)
In-Reply-To: <20180226154659.10218-1-blackzert@gmail.com>

Signed-off-by: Ilya Smith <blackzert@gmail.com>
---
 fs/binfmt_elf.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index bdb201230bae..970b42044240 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -524,6 +524,52 @@ static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
 
 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
 
+/**
+ * elf_check_phdr() - common check ELF program header.
+ * @phdr: The program header to check
+ * @phdr_num: Count of program headers in @phdr from elf header.
+ *
+ * Checks ELF binary meets specification.
+ *
+ * Return: Zero to proceed with ELF load, non-zero to faile the ELF load
+ *		   with that return code.
+ */
+static int elf_check_phdr(struct elf_phdr *phdr, unsigned long phdr_num)
+{
+	unsigned long i;
+	struct elf_phdr *eppnt = phdr;
+	Elf64_Addr curr_vaddr;
+	Elf64_Xword curr_memsz;
+
+	/* Find first PT_LOAD entry */
+	for (i = 0; i < phdr_num && eppnt->p_type != PT_LOAD; ++i, ++eppnt)
+		;
+
+	/* no any PT_LOAD */
+	if (i == phdr_num)
+		return -EINVAL;
+
+	curr_memsz = eppnt->p_memsz;
+	curr_vaddr = eppnt->p_vaddr;
+
+	for (++i, ++eppnt; i < phdr_num; ++i, ++eppnt) {
+		if (eppnt->p_type != PT_LOAD)
+			continue;
+
+		/* Check order of vaddr */
+		if (eppnt->p_vaddr <= curr_vaddr)
+			return -EINVAL;
+
+		/* Check overlapping */
+		if (eppnt->p_vaddr < curr_vaddr + curr_memsz)
+			return -EINVAL;
+
+		curr_memsz = eppnt->p_memsz;
+		curr_vaddr = eppnt->p_vaddr;
+	}
+	return 0;
+}
+
 /* This is much more generalized than the library routine read function,
    so we keep this separate.  Technically the library read function
    is only provided so that we can read a.out libraries that have
@@ -551,6 +597,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
 		goto out;
 	if (!interpreter->f_op->mmap)
 		goto out;
+	if (elf_check_phdr(interp_elf_phdata, interp_elf_ex->e_phnum))
+		goto out;
 
 	total_size = total_mapping_size(interp_elf_phdata,
 					interp_elf_ex->e_phnum);
@@ -733,6 +781,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
 	if (!elf_phdata)
 		goto out;
 
+	if (elf_check_phdr(&loc->elf_ex, loc->elf_ex.e_phnum))
+		goto out;
+
 	elf_ppnt = elf_phdata;
 	elf_bss = 0;
 	elf_brk = 0;
-- 
2.14.1

next prev parent reply	other threads:[~2018-02-26 15:46 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-26 15:46 [PATCH 0/1] Additional strict check on ELF file Ilya Smith
2018-02-26 15:46 ` Ilya Smith [this message]
2018-02-26 17:48   ` [PATCH 1/1] Additional strict check on ELF file. Checks segments are followed in order of 'p_vaddr ' value ascending. It fixes erorr in total_mapping_size with computation total size. This error happens if segments in ELF file are not in order Randy Dunlap
2018-02-27 12:45     ` Ilya Smith

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bdb201230ba dfblob:970b4204424 )
 OR (
bs:"[PATCH 1/1] Additional strict check on ELF file. Checks segments are followed in order of 'p_vaddr ' value ascending. It fixes erorr in total_mapping_size with computation total size. This error happens if segments in ELF file are not in order." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180226154659.10218-2-blackzert@gmail.com \
    --to=blackzert@gmail.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).