From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D352AC52D1D for ; Thu, 1 Aug 2024 00:40:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6A1F46B00BD; Wed, 31 Jul 2024 20:40:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 652856B00BE; Wed, 31 Jul 2024 20:40:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4CC2A6B00C0; Wed, 31 Jul 2024 20:40:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 2CDD66B00BD for ; Wed, 31 Jul 2024 20:40:57 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id C7E87160500 for ; Thu, 1 Aug 2024 00:40:56 +0000 (UTC) X-FDA: 82401821712.29.B18C6D2 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf18.hostedemail.com (Postfix) with ESMTP id 13E171C0025 for ; Thu, 1 Aug 2024 00:40:54 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="rxv/ee1S"; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf18.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722472813; a=rsa-sha256; cv=none; b=K0E79/uThhu+joMOz6iNz2ya+Euo9uOdV+iaTPU1roxk29Fold+zSetUFgarbOeuAOz2n3 0HYQQkD2unM4A/PugcSX62nquO/nAwutMbRrOvGWa6vVMOttwpBH1eQbhHhUXDP7t9Lk6g JZaS4IYVyrQYdRghgdrs5hc2jjHGt9c= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="rxv/ee1S"; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf18.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722472813; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=CLx2YgJjhN4LdwWzgfu02mU+laSZ6HXGPLaRsZHgg4U=; b=zXPszR55jt47iU6RJYTjB2OCUd0fOj64Gqbj2cX82VQh4U8em0Ow/NnnxV90B7J2dOwHzB 7/TxeO8j4kHpz7p6QDCIVeY5jtd84sLpDQh3f1KjmfBS2PmFNTSxQsCJc3u8VkApVKwXXY Cn8ZB8E7Q5ZOwaG/FQC4vrlO4+G8Eks= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 5A1556246A; Thu, 1 Aug 2024 00:40:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EEC5BC4AF0C; Thu, 1 Aug 2024 00:40:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1722472854; bh=xpNOueL8LsTpELZTogQwevQccaGHx3UJJeuEUYFzloE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rxv/ee1SHz+Ksny0xphP2JbrlQ1bQYVSj5nkxcsPGb44VhbewqzFN2WwYbocvkAH3 c+z5or8FzYcLEScoF30p56VMAps5SrdfmP6xyxWgKcdwQw4gU+5t1RpSGLI87LryFj onn4E/pN3iPWSGOcrMCI37WjF/0tDqeexGX/T6h1Ln/4JHZBn0PSann1dZfB/PVIra 02sHnIwOywCXxVJvq2GVB8sVzyJ7p/fVdnqGJc9YvYWXaH6ZYFaZmL81buJvX3tM/p 9CexARZbm2NVxTf1q5czot9oU2PqMpBWLbl0BMyAhXVkJ54laMWLiJ9VAOGVl8ZPC/ /OyA1qYNDVNZg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Alexey Dobriyan , Kees Cook , Sasha Levin , viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 4.19 06/14] ELF: fix kernel.randomize_va_space double read Date: Wed, 31 Jul 2024 20:40:14 -0400 Message-ID: <20240801004037.3939932-6-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240801004037.3939932-1-sashal@kernel.org> References: <20240801004037.3939932-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 4.19.319 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 13E171C0025 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: gwhaj77a5zp8414xj5n85uebabqhrhci X-HE-Tag: 1722472854-968911 X-HE-Meta: U2FsdGVkX19kYnx2nXitdhvOZdtErizVizhGj76wn88LSV8J5ZL7QDUFzP5EginVjyof/iu8870ISvR8PQW+SCN1XXPBShKytVv1C9YjZkseMVZLBV6AUbx2hH/PBlYDsbrbFN0cRAX9Bw+DzAo7v21RtQnZfQQ/wL1/QUckMyChKx2CwwjQDwgzB0F22NS0daq36D6pJYAPlLmc7jC8E8+JrAnsIEsWu971COccQ7s+IjGoq8bdQ6rsosy1yBNi8YFT97jU/evG0XGXWF4sRNQkpk06PPePVh76HHWEyzdud8tX5BudX/EzyxVKiSCuLM6DuJoJQrmIcf2YRAevq/8Omm50afHH4XJ16J5CJn35QtDI+ayDTvyK6AScmt0HjkVZlosudXUFcBiEgF0beFsZl8CLoYkY4rCV6HTv+FlMP/sSamaCqKSu5NB87+rWXVPPC3kpqvV7+KH0eJBiwZcUQ5z//KADRlbxOthHFhahbw2oplIOFDzGUXAT+DP/oUXnE3sBE4vKlJGRDmOKy8inLtXbBE1p9ar+6lA7AbvmycJrMwpfgaGMWEEOkBs64/21wfpMxLDn1gh7PRX+j5Bho3J/36TKiwaGwSo+Xhs4Pqk3qxvfx/mpnBfLO98ETGBKIesAa1EXkees1iaghrUwYAlFyHsOxa8XT3ECD6UnSMGvK8X4w/vlCTVMjQfKgFrZFPc3jrp0wGOWbNhMqfFeliywtdCbNHzbPIP9YSCt2mnya1eh/d34fK0m9tkBqdR24Q3upHpHQtoVO8k49EbkCArpPxKuzlvxqq04FIKVHhe2wG57fNDYxQh6ZxjqT9V7ASjwHtJDBmEGDOxd8nor3dF40Z2f2nDNdoGwelgMAR4Xzvgo7c6rQ2IaaPzC7dbaYSzAH7DYDEIL/HYIBMAODOjswDZ4/gFSNjEM6jux/qZl6vvRmYS1xi3zzOnTAdJm9ydcP/QEsKav62U fi1qbjjA q7dqwD7Fkf6Bom4J3RDeGBqU9KhPOFHsT/RDY+WXESYGt6g7D4LmCQ3lTTx0blzCrIVUDAlkLBvQkmPJ6tj1GLVr4DAeNIBY36asvtYNAfn0xvb5NHOBeF5JUS0nHQLmP1gsCJW3jtWaBCfx9K7zi7OsMcQ7CizS750oGh99kfrISuSiRHCib5+9791i31QI018oSSvyOAm+Vgs/qABXyCOdZ+W2dGxsH/lPjqTPpKwspqxWo8lO8LXot9uD7C78DfkAmgmfT/n2pH78JeSKKPG8/NHMmGe7f2KxYJCXcC2+xywJxo/D3ZIquzA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Alexey Dobriyan [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index c41c568ad1b8a..af8830878fa0b 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -876,7 +876,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1136,7 +1137,7 @@ static int load_elf_binary(struct linux_binprm *bprm) current->mm->end_data = end_data; current->mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.43.0