Received: by 10.223.185.116 with SMTP id b49csp3894104wrg; Mon, 26 Feb 2018 07:49:53 -0800 (PST) X-Google-Smtp-Source: AH8x226jlq9sG8+wAbGo83QuVxX2Ib6jZqTwe0ccEJKtPPdLpSkUSNMZMmyxmBByP/7ks6oQijnH X-Received: by 10.99.114.77 with SMTP id c13mr8758554pgn.286.1519660193169; Mon, 26 Feb 2018 07:49:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519660193; cv=none; d=google.com; s=arc-20160816; b=l7EtwQznlaQ7cIzYe9J9rVRh8DQ3XQK2u4ffNx0itg34a9ZOiWw+pXuySLQElv4gIb AhytVrOzdx+RsXHTHDacDme4vMU7QIgXK9Wk9sT5wsvOq4uQ7X30hNszcRJ9uVeCJydf OxKOOe+YigKsBBYOAnkhgzvFMOJguevC2P3Vsg1yjH0iHPO59Xb9abJWzdLXyRCZZOA0 rQ0P8yf59BdBPY3GZ1gTaPQ/xkmDDaWQxH9nwTj8bLL/i1x/rg7EDCW1jvF2I2Xwrt1M 3rhwD28CoSro1F3kY8+OCdkYCh89sdS3H4zI4Fb1pCOM4hJ0KNw77q7sHapVyNJhsNx3 zY5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=1Ds58/T9ya2Lav8vfVSZ2pVeL6I+pKXkG5mDnXM6Pok=; b=xgiaauQQtm4M187cMXoraREumwRNdvqQUNUOXkFL6QTIh0cVlwC/ujZ3+muHoWOvjR 6zNSCf0wvGkT1ePPqE+qiuXzM1WOaGj2DoLj/UL8e1ZWywHPYs599cqtV0PjP/d7iPjT tuI4+MkrqUDE0R7/nOvLEMrZsttcLWPGdnSG6ZgMWkXHnwTYAhU4zOGWpg4Rze8AeYOo xHA0/5lo9WWkrf/d5znPpyNdB0HIGgrU55cp+8L6AQoCLbH5aROu0GogznjGZcfwAqD+ uAzMHZGNVlNGtjI9ZhorpxkDKHtrqpFXpjtVWVRrK0G27Ib6VrR6z/KR2v1NFL0X+ci+ qmOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZRgoOd4y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bi12-v6si270289plb.386.2018.02.26.07.49.38; Mon, 26 Feb 2018 07:49:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZRgoOd4y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752135AbeBZPsh (ORCPT + 99 others); Mon, 26 Feb 2018 10:48:37 -0500 Received: from mail-lf0-f66.google.com ([209.85.215.66]:43695 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751977AbeBZPsU (ORCPT ); Mon, 26 Feb 2018 10:48:20 -0500 Received: by mail-lf0-f66.google.com with SMTP id q69so22893900lfi.10; Mon, 26 Feb 2018 07:48:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=1Ds58/T9ya2Lav8vfVSZ2pVeL6I+pKXkG5mDnXM6Pok=; b=ZRgoOd4yYAINLv9STaFl2nACVh+pZnoFMnRk4ruK97PAmSPZXA1O8hr8OLko3sW9db 8fCkt3UvbyWI2XKGt7hBErMo+vCtO9bvjtxjRE2kp4nqco48J5s3plbWhKixNjaCwjUA LaWnKUX0VRYBfquyoRuzGeG33AauMPjb1tTcUxtgy40nQKpdcoOX+nf74H0HJeoexm0p xnKpLuLZlzUfZeuzKKJQD+5G8PvishfZgGvfv5mzt3GDqqFPfEIRX9SJDNTA/4vc3+Jt trHLW7jxarvUx57l0Le2A5HacOOAgO25cFHAsPvW81+zfOqg7Ls5MZbNlp6hitcflpht XZ7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=1Ds58/T9ya2Lav8vfVSZ2pVeL6I+pKXkG5mDnXM6Pok=; b=ECbtWFvWVIMorzRhMA3LZbAqzQvoz5Mn7ojmhxdyo8+ory2QjG/U6DfqZIuPvXZEhG pWTefY9KliPKb5idukBhPxhQOyNuIFRO5BQV0WTZsClwmOZ7HJKlL0WEie/a2fQEo9NE GmviUjDSTnx5v0l3sUtDUGzRud49iRhWL6GYJJO4zKkRQjjGNNT0u/S6CnBF8vHFAzTS okVEzrSsoag/BD3t+Sh5fm5Pv31D/xmKkO7FtGXtosp3DkJN5IaPELfGe2BWYiD+gR/j HQjxZAXhVmR3Fu2mC+ZiMDdB9hDnHpirgIrSRSUUoYDAvsdyVY7yq1Ksn5P4SeIvWKFx 9Fpw== X-Gm-Message-State: APf1xPCSpyo5WGMSGw50F394XK8Y/Aad2tLRKZ5N2Y21+Yt8zyBQUdMe MDTmqtdqgQ7b8ynaoN6JvohC9JR8 X-Received: by 10.46.36.21 with SMTP id k21mr5077355ljk.15.1519660098858; Mon, 26 Feb 2018 07:48:18 -0800 (PST) Received: from localhost.localdomain ([31.44.93.2]) by smtp.gmail.com with ESMTPSA id o77sm2065465lja.43.2018.02.26.07.48.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2018 07:48:17 -0800 (PST) From: Ilya Smith To: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Ilya Smith Subject: [PATCH 1/1] Additional strict check on ELF file. Checks segments are followed in order of 'p_vaddr ' value ascending. It fixes erorr in total_mapping_size with computation total size. This error happens if segments in ELF file are not in order. Date: Mon, 26 Feb 2018 18:46:59 +0300 Message-Id: <20180226154659.10218-2-blackzert@gmail.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180226154659.10218-1-blackzert@gmail.com> References: <20180226154659.10218-1-blackzert@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Signed-off-by: Ilya Smith --- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index bdb201230bae..970b42044240 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -524,6 +524,52 @@ static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp, #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */ +/** + * elf_check_phdr() - common check ELF program header. + * @phdr: The program header to check + * @phdr_num: Count of program headers in @phdr from elf header. + * + * Checks ELF binary meets specification. + * + * Return: Zero to proceed with ELF load, non-zero to faile the ELF load + * with that return code. + */ +static int elf_check_phdr(struct elf_phdr *phdr, unsigned long phdr_num) +{ + unsigned long i; + struct elf_phdr *eppnt = phdr; + Elf64_Addr curr_vaddr; + Elf64_Xword curr_memsz; + + /* Find first PT_LOAD entry */ + for (i = 0; i < phdr_num && eppnt->p_type != PT_LOAD; ++i, ++eppnt) + ; + + /* no any PT_LOAD */ + if (i == phdr_num) + return -EINVAL; + + curr_memsz = eppnt->p_memsz; + curr_vaddr = eppnt->p_vaddr; + + for (++i, ++eppnt; i < phdr_num; ++i, ++eppnt) { + if (eppnt->p_type != PT_LOAD) + continue; + + /* Check order of vaddr */ + if (eppnt->p_vaddr <= curr_vaddr) + return -EINVAL; + + /* Check overlapping */ + if (eppnt->p_vaddr < curr_vaddr + curr_memsz) + return -EINVAL; + + curr_memsz = eppnt->p_memsz; + curr_vaddr = eppnt->p_vaddr; + } + return 0; +} + /* This is much more generalized than the library routine read function, so we keep this separate. Technically the library read function is only provided so that we can read a.out libraries that have @@ -551,6 +597,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, goto out; if (!interpreter->f_op->mmap) goto out; + if (elf_check_phdr(interp_elf_phdata, interp_elf_ex->e_phnum)) + goto out; total_size = total_mapping_size(interp_elf_phdata, interp_elf_ex->e_phnum); @@ -733,6 +781,9 @@ static int load_elf_binary(struct linux_binprm *bprm) if (!elf_phdata) goto out; + if (elf_check_phdr(&loc->elf_ex, loc->elf_ex.e_phnum)) + goto out; + elf_ppnt = elf_phdata; elf_bss = 0; elf_brk = 0; -- 2.14.1