[PATCH] binfmt_elf: remove the 4k limitation of program header size

[PATCH] binfmt_elf: remove the 4k limitation of program header size

[fengwei_yin]

From: Yin Fengwei <fengwei_yin@linux.alibaba.com>

We have assembly code generated by a script. GCC successfully compiles
it. However, the kernel cannot load it on an ARM64 platform with a 4K
page size. In contrast, the same ELF file loads correctly on the same
platform with a 64K page size.

The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
program headers of ELF files. The ELF file contains 78 program headers
(the script inserts many holes when generating the assembly code). On
ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
program headers, causing the ELF file to fail. However, with a 64K page
size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
the file to run correctly.

Cook kindly identified that this limitation was introduced in
Linux-0.99.15f without an explanation for its purpose [1].

The ELF specification does not impose such a restriction on program
headers. Removing the ELF_MIN_ALIGN limitation on program headers to
align with the ELF spec. After removing ELF_MIN_ALIGN limitation,
64K size limitation still exist which should be sufficient.

[1] https://lore.kernel.org/linux-mm/202506270854.A729825@keescook/

Originally-by: Kees Cook <kees@kernel.org>
Signed-off-by: Yin Fengwei <fengwei_yin@linux.alibaba.com>
---
Explaination about "Originally-by": it's debug code from Cook. And
he didn't show the intention to submit it as patch. The change did
fix the issue I hit...

 fs/binfmt_elf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index a43363d593e5..1cb35a2bc528 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -519,7 +519,7 @@ static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
 	/* Sanity check the number of program headers... */
 	/* ...and their total size. */
 	size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
-	if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
+	if (size == 0 || size > 65536)
 		goto out;
 
 	elf_phdata = kmalloc(size, GFP_KERNEL);
-- 
2.49.0

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Kees Cook]

On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
> We have assembly code generated by a script. GCC successfully compiles
> it. However, the kernel cannot load it on an ARM64 platform with a 4K
> page size. In contrast, the same ELF file loads correctly on the same
> platform with a 64K page size.
> 
> The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
> program headers of ELF files. The ELF file contains 78 program headers
> (the script inserts many holes when generating the assembly code). On
> ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
> program headers, causing the ELF file to fail. However, with a 64K page
> size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
> the file to run correctly.
> 
> [...]

Applied to for-next/execve, thanks!

[1/1] binfmt_elf: remove the 4k limitation of program header size
      https://git.kernel.org/kees/c/8030790477e8

Take care,

-- 
Kees Cook

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[YinFengwei]

On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
> On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
> > We have assembly code generated by a script. GCC successfully compiles
> > it. However, the kernel cannot load it on an ARM64 platform with a 4K
> > page size. In contrast, the same ELF file loads correctly on the same
> > platform with a 64K page size.
> > 
> > The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
> > program headers of ELF files. The ELF file contains 78 program headers
> > (the script inserts many holes when generating the assembly code). On
> > ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
> > program headers, causing the ELF file to fail. However, with a 64K page
> > size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
> > the file to run correctly.
> > 
> > [...]
> 
> Applied to for-next/execve, thanks!
Cook, thanks a lot.

Regards
Yin, Fengwei

> 
> [1/1] binfmt_elf: remove the 4k limitation of program header size
>       https://git.kernel.org/kees/c/8030790477e8
> 
> Take care,
> 
> -- 
> Kees Cook

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Ismael Luceno]

On Sat, Jul 19, 2025 at 17:17:09 +0800, YinFengwei wrote:
> On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
> > On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
> > > We have assembly code generated by a script. GCC successfully compiles
> > > it. However, the kernel cannot load it on an ARM64 platform with a 4K
> > > page size. In contrast, the same ELF file loads correctly on the same
> > > platform with a 64K page size.
> > > 
> > > The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
> > > program headers of ELF files. The ELF file contains 78 program headers
> > > (the script inserts many holes when generating the assembly code). On
> > > ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
> > > program headers, causing the ELF file to fail. However, with a 64K page
> > > size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
> > > the file to run correctly.
> > > 
> > > [...]
> > 
> > Applied to for-next/execve, thanks!
> Cook, thanks a lot.
> 
> Regards
> Yin, Fengwei
> 
> > 
> > [1/1] binfmt_elf: remove the 4k limitation of program header size
> >       https://git.kernel.org/kees/c/8030790477e8
> > 
> > Take care,

Hi,

I noticed this removal and wonder whether it could be a problem on
smaller platforms.

IIRC that code has been there since ELF support was added in one
form or another; and the idea behind it was to simplify the code
by ensuring no cross-page reads could happen, as these could cause
undefined behaviours or read abort exceptions.

Best regards.

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Ismael Luceno]

On 02/Aug/2025 10:29, Kees Cook wrote:
> On Sat, Aug 02, 2025 at 05:47:13AM +0200, Ismael Luceno wrote:
> > On Sat, Jul 19, 2025 at 17:17:09 +0800, YinFengwei wrote:
> > > On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
> > > > On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
> > > > > We have assembly code generated by a script. GCC successfully compiles
> > > > > it. However, the kernel cannot load it on an ARM64 platform with a 4K
> > > > > page size. In contrast, the same ELF file loads correctly on the same
> > > > > platform with a 64K page size.
> > > > > 
> > > > > The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
> > > > > program headers of ELF files. The ELF file contains 78 program headers
> > > > > (the script inserts many holes when generating the assembly code). On
> > > > > ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
> > > > > program headers, causing the ELF file to fail. However, with a 64K page
> > > > > size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
> > > > > the file to run correctly.
> > > > > 
> > > > > [...]
> > > > 
> > > > Applied to for-next/execve, thanks!
> > > Cook, thanks a lot.
> > > 
> > > Regards
> > > Yin, Fengwei
> > > 
> > > > 
> > > > [1/1] binfmt_elf: remove the 4k limitation of program header size
> > > >       https://git.kernel.org/kees/c/8030790477e8
> > > > 
> > > > Take care,
> > 
> > Hi,
> > 
> > I noticed this removal and wonder whether it could be a problem on
> > smaller platforms.
> > 
> > IIRC that code has been there since ELF support was added in one
> > form or another; and the idea behind it was to simplify the code
> > by ensuring no cross-page reads could happen, as these could cause
> > undefined behaviours or read abort exceptions.
> 
> I didn't see a place where that would happen -- the reads aren't done on
> a single page. If you see something that I missed, please let me know!

The offset to the phdrs can point anywhere and the entries are
arbitrarily sized, thus it can be unaligned, so we can be potentially
reading at an entry right between two pages.

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Yin Fengwei]

在 2025/8/3 13:28, Ismael Luceno 写道:
> On 02/Aug/2025 10:29, Kees Cook wrote:
>> On Sat, Aug 02, 2025 at 05:47:13AM +0200, Ismael Luceno wrote:
>>> On Sat, Jul 19, 2025 at 17:17:09 +0800, YinFengwei wrote:
>>>> On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
>>>>> On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
>>>>>> We have assembly code generated by a script. GCC successfully compiles
>>>>>> it. However, the kernel cannot load it on an ARM64 platform with a 4K
>>>>>> page size. In contrast, the same ELF file loads correctly on the same
>>>>>> platform with a 64K page size.
>>>>>>
>>>>>> The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
>>>>>> program headers of ELF files. The ELF file contains 78 program headers
>>>>>> (the script inserts many holes when generating the assembly code). On
>>>>>> ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
>>>>>> program headers, causing the ELF file to fail. However, with a 64K page
>>>>>> size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
>>>>>> the file to run correctly.
>>>>>>
>>>>>> [...]
>>>>>
>>>>> Applied to for-next/execve, thanks!
>>>> Cook, thanks a lot.
>>>>
>>>> Regards
>>>> Yin, Fengwei
>>>>
>>>>>
>>>>> [1/1] binfmt_elf: remove the 4k limitation of program header size
>>>>>        https://git.kernel.org/kees/c/8030790477e8
>>>>>
>>>>> Take care,
>>>
>>> Hi,
>>>
>>> I noticed this removal and wonder whether it could be a problem on
>>> smaller platforms.
>>>
>>> IIRC that code has been there since ELF support was added in one
>>> form or another; and the idea behind it was to simplify the code
>>> by ensuring no cross-page reads could happen, as these could cause
>>> undefined behaviours or read abort exceptions.
>>
>> I didn't see a place where that would happen -- the reads aren't done on
>> a single page. If you see something that I missed, please let me know!
> 
> The offset to the phdrs can point anywhere and the entries are
> arbitrarily sized, thus it can be unaligned, so we can be potentially
> reading at an entry right between two pages.

The read buffer are managed in kernel. Why cross-page read can cause
undefined behaviors or read abort?

Does smaller platforms have special behavior in this situation? Like
can't do cross-page read against the buffer allocated by kmalloc?


Regards
Yin, Fengwei

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Ismael Luceno]

On 04/Aug/2025 10:12, Yin Fengwei wrote:
> 
> 
> 在 2025/8/3 13:28, Ismael Luceno 写道:
> > On 02/Aug/2025 10:29, Kees Cook wrote:
> > > On Sat, Aug 02, 2025 at 05:47:13AM +0200, Ismael Luceno wrote:
> > > > On Sat, Jul 19, 2025 at 17:17:09 +0800, YinFengwei wrote:
> > > > > On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
> > > > > > On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
> > > > > > > We have assembly code generated by a script. GCC successfully compiles
> > > > > > > it. However, the kernel cannot load it on an ARM64 platform with a 4K
> > > > > > > page size. In contrast, the same ELF file loads correctly on the same
> > > > > > > platform with a 64K page size.
> > > > > > > 
> > > > > > > The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
> > > > > > > program headers of ELF files. The ELF file contains 78 program headers
> > > > > > > (the script inserts many holes when generating the assembly code). On
> > > > > > > ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
> > > > > > > program headers, causing the ELF file to fail. However, with a 64K page
> > > > > > > size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
> > > > > > > the file to run correctly.
> > > > > > > 
> > > > > > > [...]
> > > > > > 
> > > > > > Applied to for-next/execve, thanks!
> > > > > Cook, thanks a lot.
> > > > > 
> > > > > Regards
> > > > > Yin, Fengwei
> > > > > 
> > > > > > 
> > > > > > [1/1] binfmt_elf: remove the 4k limitation of program header size
> > > > > >        https://git.kernel.org/kees/c/8030790477e8
> > > > > > 
> > > > > > Take care,
> > > > 
> > > > Hi,
> > > > 
> > > > I noticed this removal and wonder whether it could be a problem on
> > > > smaller platforms.
> > > > 
> > > > IIRC that code has been there since ELF support was added in one
> > > > form or another; and the idea behind it was to simplify the code
> > > > by ensuring no cross-page reads could happen, as these could cause
> > > > undefined behaviours or read abort exceptions.
> > > 
> > > I didn't see a place where that would happen -- the reads aren't done on
> > > a single page. If you see something that I missed, please let me know!
> > 
> > The offset to the phdrs can point anywhere and the entries are
> > arbitrarily sized, thus it can be unaligned, so we can be potentially
> > reading at an entry right between two pages.
> 
> The read buffer are managed in kernel. Why cross-page read can cause
> undefined behaviors or read abort?
> 
> Does smaller platforms have special behavior in this situation? Like
> can't do cross-page read against the buffer allocated by kmalloc?

Pretty much anything MMU-less will fault at cross-page multi-byte reads.

I'm not aware of any system with an MMU doing that but, I think on
RISC-V it's implementation-defined.

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Yin Fengwei]

在 2025/8/4 15:19, Ismael Luceno 写道:
> On 04/Aug/2025 10:12, Yin Fengwei wrote:
>>
>>
>> 在 2025/8/3 13:28, Ismael Luceno 写道:
>>> On 02/Aug/2025 10:29, Kees Cook wrote:
>>>> On Sat, Aug 02, 2025 at 05:47:13AM +0200, Ismael Luceno wrote:
>>>>> On Sat, Jul 19, 2025 at 17:17:09 +0800, YinFengwei wrote:
>>>>>> On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
>>>>>>> On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
>>>>>>>> We have assembly code generated by a script. GCC successfully compiles
>>>>>>>> it. However, the kernel cannot load it on an ARM64 platform with a 4K
>>>>>>>> page size. In contrast, the same ELF file loads correctly on the same
>>>>>>>> platform with a 64K page size.
>>>>>>>>
>>>>>>>> The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
>>>>>>>> program headers of ELF files. The ELF file contains 78 program headers
>>>>>>>> (the script inserts many holes when generating the assembly code). On
>>>>>>>> ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
>>>>>>>> program headers, causing the ELF file to fail. However, with a 64K page
>>>>>>>> size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
>>>>>>>> the file to run correctly.
>>>>>>>>
>>>>>>>> [...]
>>>>>>>
>>>>>>> Applied to for-next/execve, thanks!
>>>>>> Cook, thanks a lot.
>>>>>>
>>>>>> Regards
>>>>>> Yin, Fengwei
>>>>>>
>>>>>>>
>>>>>>> [1/1] binfmt_elf: remove the 4k limitation of program header size
>>>>>>>         https://git.kernel.org/kees/c/8030790477e8
>>>>>>>
>>>>>>> Take care,
>>>>>
>>>>> Hi,
>>>>>
>>>>> I noticed this removal and wonder whether it could be a problem on
>>>>> smaller platforms.
>>>>>
>>>>> IIRC that code has been there since ELF support was added in one
>>>>> form or another; and the idea behind it was to simplify the code
>>>>> by ensuring no cross-page reads could happen, as these could cause
>>>>> undefined behaviours or read abort exceptions.
>>>>
>>>> I didn't see a place where that would happen -- the reads aren't done on
>>>> a single page. If you see something that I missed, please let me know!
>>>
>>> The offset to the phdrs can point anywhere and the entries are
>>> arbitrarily sized, thus it can be unaligned, so we can be potentially
>>> reading at an entry right between two pages.
>>
>> The read buffer are managed in kernel. Why cross-page read can cause
>> undefined behaviors or read abort?
>>
>> Does smaller platforms have special behavior in this situation? Like
>> can't do cross-page read against the buffer allocated by kmalloc?
> 
> Pretty much anything MMU-less will fault at cross-page multi-byte reads.
OK.

> 
> I'm not aware of any system with an MMU doing that but, I think on
> RISC-V it's implementation-defined.
But resitriction of 4K can NOT prevent cross-page multi-byte reads as
well. Say if the phdrs is on 2K offset, the size of entries is
larger than 2K. Right?

Regards
Yin, Fengwei

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Yin Fengwei]

On 2025/8/4 15:19, Ismael Luceno wrote:
> On 04/Aug/2025 10:12, Yin Fengwei wrote:
>>
>>
>> 在 2025/8/3 13:28, Ismael Luceno 写道:
>>> On 02/Aug/2025 10:29, Kees Cook wrote:
>>>> On Sat, Aug 02, 2025 at 05:47:13AM +0200, Ismael Luceno wrote:
>>>>> On Sat, Jul 19, 2025 at 17:17:09 +0800, YinFengwei wrote:
>>>>>> On Thu, Jul 17, 2025 at 04:31:50PM +0800, Kees Cook wrote:
>>>>>>> On Thu, 17 Jul 2025 19:01:08 +0800, fengwei_yin@linux.alibaba.com wrote:
>>>>>>>> We have assembly code generated by a script. GCC successfully compiles
>>>>>>>> it. However, the kernel cannot load it on an ARM64 platform with a 4K
>>>>>>>> page size. In contrast, the same ELF file loads correctly on the same
>>>>>>>> platform with a 64K page size.
>>>>>>>>
>>>>>>>> The root cause is the Linux kernel's ELF_MIN_ALIGN limitation on the
>>>>>>>> program headers of ELF files. The ELF file contains 78 program headers
>>>>>>>> (the script inserts many holes when generating the assembly code). On
>>>>>>>> ARM64 with a 4K page size, the ELF_MIN_ALLIGN enforces a maximum of 74
>>>>>>>> program headers, causing the ELF file to fail. However, with a 64K page
>>>>>>>> size, the ELF_MIN_ALIGN is relaxed to over 1,184 program headers, allowing
>>>>>>>> the file to run correctly.
>>>>>>>>
>>>>>>>> [...]
>>>>>>>
>>>>>>> Applied to for-next/execve, thanks!
>>>>>> Cook, thanks a lot.
>>>>>>
>>>>>> Regards
>>>>>> Yin, Fengwei
>>>>>>
>>>>>>>
>>>>>>> [1/1] binfmt_elf: remove the 4k limitation of program header size
>>>>>>>         https://git.kernel.org/kees/c/8030790477e8
>>>>>>>
>>>>>>> Take care,
>>>>>
>>>>> Hi,
>>>>>
>>>>> I noticed this removal and wonder whether it could be a problem on
>>>>> smaller platforms.
>>>>>
>>>>> IIRC that code has been there since ELF support was added in one
>>>>> form or another; and the idea behind it was to simplify the code
>>>>> by ensuring no cross-page reads could happen, as these could cause
>>>>> undefined behaviours or read abort exceptions.
>>>>
>>>> I didn't see a place where that would happen -- the reads aren't done on
>>>> a single page. If you see something that I missed, please let me know!
>>>
>>> The offset to the phdrs can point anywhere and the entries are
>>> arbitrarily sized, thus it can be unaligned, so we can be potentially
>>> reading at an entry right between two pages.
>>
>> The read buffer are managed in kernel. Why cross-page read can cause
>> undefined behaviors or read abort?
>>
>> Does smaller platforms have special behavior in this situation? Like
>> can't do cross-page read against the buffer allocated by kmalloc?
> 
> Pretty much anything MMU-less will fault at cross-page multi-byte reads.
> 
> I'm not aware of any system with an MMU doing that but, I think on
> RISC-V it's implementation-defined.

Checked the doc "The RISC-V Instruction Set Manual Volume I" - 17.1.1
Momory Model Primitives. The misaligned memory operations (I suppose
the cross-page multi-byte access you concerned will trigger misaligned
memory first) will be emulated by byte access. So not a problem for
Risc-V IMHO.


For MMU-less system, is it possible a 64bit system? If not, the phdr
size is 4 * 8 = 32bit. There is no cross page multi-byte access. If
it's 64 bit, it's very unlikely that it has ELF with more than 73
program headers. I am kind of sure that we are fine here.

If this is really a concern, we can add 4K restriction only for
noMMU. Thanks.


Regards
Yin, Fengwei

Re: [PATCH] binfmt_elf: remove the 4k limitation of program header size

[Kees Cook]

On Mon, Aug 04, 2025 at 10:00:41PM +0800, Yin Fengwei wrote:
> If this is really a concern, we can add 4K restriction only for
> noMMU. Thanks.

My point is that the headers are loaded via elf_read()/kernel_read().
There is no direct mapping, etc, that would result in some single page;
it's already bounds checked, loaded into a distinct memory area, etc.

-- 
Kees Cook