Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3333542imu; Sun, 11 Nov 2018 12:35:30 -0800 (PST) X-Google-Smtp-Source: AJdET5d9bHq9NK+vn34SuxnlomTEkwpDAlGSN9btcrYZjMex2iK/I55aH6zmubYQjhPcF9OtRURL X-Received: by 2002:a17:902:5066:: with SMTP id f35-v6mr17029997plh.145.1541968530011; Sun, 11 Nov 2018 12:35:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541968529; cv=none; d=google.com; s=arc-20160816; b=dhugqGgQmf4+hPNg3Fl3peR4CWPIem03DmoZwAl5e1VIS051Dj1ln5e566orJLDK6c gUAWVBib1MSiKmYHQ13Y0k1vTRHL81hRwKKxRonXag0iOdCVBvAchmkAoQuzNtMATNEy /GvLFzkp+NionzJZhKBZXdnWUflf8fbKyy+n+61qgf3/QKS757XbyUTI9speAOMy+9Ti zKm67icX1JbQpinOM0d+/87oGyPZ9hyEiitVEdwIxDi4CCAQzdqQTqlGXthqpBGLvUPB 6yv6qMhccs2Ubvuj/YBfoxvQ0SU4hxV5785PyVlbB0Wcj9xDlzkeFTLc1BfNFff8avh6 gu3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=48krXRBS7w/UsLC25rzwIjIwfzX/dHFkZUZoZ5yHnHE=; b=zBTUbBSRzdXwS2Hn6Rf/n6VH4xlHdfQA2h3E9oK+o0la26lG7xHbLvmGkLLR6scghv 6b87QkjLbaG4ZOG9YdACn7b7WFAE4gUkG2K8ttb+H0m6SBo8SI1Bc9nL7q8GThWGmaHi stcKkQA7xYRFDJRPeFspdlir1jLDUm/p08KSJ0NslX2qUHOJPtJcwYz5Gb3ufrm7eykJ BQOOrroJ2c3cqTncf0OBbCKvsnyHJMRTIXuyojzkTCpWvA9+DL5YxDfZLCupOzdef7lz fS4VpOyTwUErsaZKi4SEaroG8NmO/TjDMmi0oqErdvnAtMyPg90VgsZ+7wqUTviAC2iI Eu4Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5-v6si15958095pla.80.2018.11.11.12.35.15; Sun, 11 Nov 2018 12:35:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731237AbeKLGYX (ORCPT + 99 others); Mon, 12 Nov 2018 01:24:23 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49938 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730204AbeKLFsN (ORCPT ); Mon, 12 Nov 2018 00:48:13 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsZ-0000oP-9R; Sun, 11 Nov 2018 19:58:43 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsW-0001j3-Ec; Sun, 11 Nov 2018 19:58:40 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Ismael Ripoll Ripoll" , "Andrey Ryabinin" , "Oleg Nesterov" , "Alexander Viro" , "Chen Gang" , "Hector Marco-Gisbert" , "Michal Hocko" , "Kirill A. Shutemov" , "Konstantin Khlebnikov" , "Linus Torvalds" , "Kees Cook" , "Andrea Arcangeli" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 251/366] binfmt_elf: fix calculations for bss padding In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook commit 0036d1f7eb95bcc52977f15507f00dd07018e7e2 upstream. A double-bug exists in the bss calculation code, where an overflow can happen in the "last_bss - elf_bss" calculation, but vm_brk internally aligns the argument, underflowing it, wrapping back around safe. We shouldn't depend on these bugs staying in sync, so this cleans up the bss padding handling to avoid the overflow. This moves the bss padzero() before the last_bss > elf_bss case, since the zero-filling of the ELF_PAGE should have nothing to do with the relationship of last_bss and elf_bss: any trailing portion should be zeroed, and a zero size is already handled by padzero(). Then it handles the math on elf_bss vs last_bss correctly. These need to both be ELF_PAGE aligned to get the comparison correct, since that's the expected granularity of the mappings. Since elf_bss already had alignment-based padding happen in padzero(), the "start" of the new vm_brk() should be moved forward as done in the original code. However, since the "end" of the vm_brk() area will already become PAGE_ALIGNed in vm_brk() then last_bss should get aligned here to avoid hiding it as a side-effect. Additionally makes a cosmetic change to the initial last_bss calculation so it's easier to read in comparison to the load_addr calculation above it (i.e. the only difference is p_filesz vs p_memsz). Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org Signed-off-by: Kees Cook Reported-by: Hector Marco-Gisbert Cc: Ismael Ripoll Ripoll Cc: Alexander Viro Cc: "Kirill A. Shutemov" Cc: Oleg Nesterov Cc: Chen Gang Cc: Michal Hocko Cc: Konstantin Khlebnikov Cc: Andrea Arcangeli Cc: Andrey Ryabinin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/binfmt_elf.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -508,28 +508,30 @@ static unsigned long load_elf_interp(str * Do the same thing for the memory mapping - between * elf_bss and last_bss is the bss section. */ - k = load_addr + eppnt->p_memsz + eppnt->p_vaddr; + k = load_addr + eppnt->p_vaddr + eppnt->p_memsz; if (k > last_bss) last_bss = k; } } + /* + * Now fill out the bss section: first pad the last page from + * the file up to the page boundary, and zero it from elf_bss + * up to the end of the page. + */ + if (padzero(elf_bss)) { + error = -EFAULT; + goto out_close; + } + /* + * Next, align both the file and mem bss up to the page size, + * since this is where elf_bss was just zeroed up to, and where + * last_bss will end after the vm_brk() below. + */ + elf_bss = ELF_PAGEALIGN(elf_bss); + last_bss = ELF_PAGEALIGN(last_bss); + /* Finally, if there is still more bss to allocate, do it. */ if (last_bss > elf_bss) { - /* - * Now fill out the bss section. First pad the last page up - * to the page boundary, and then perform a mmap to make sure - * that there are zero-mapped pages up to and including the - * last bss page. - */ - if (padzero(elf_bss)) { - error = -EFAULT; - goto out_close; - } - - /* What we have mapped so far */ - elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1); - - /* Map the last of the bss segment */ error = vm_brk(elf_bss, last_bss - elf_bss); if (BAD_ADDR(error)) goto out_close;