Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2905235ybk; Mon, 18 May 2020 10:46:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBjaB+HWMA5wTEOY30AJ2QrrnktsC7NkTte9ibEJJqTVeiE1b2HBPVaM8UWqE1RlbtuMmk X-Received: by 2002:a50:9e2a:: with SMTP id z39mr15241564ede.371.1589823999385; Mon, 18 May 2020 10:46:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589823999; cv=none; d=google.com; s=arc-20160816; b=JuoLAqu1606GNvihF4VIoBaOPg+B+RHiPvvvXuHxMMHPJ9p7rAHc4loQK4jXmfOSFe AE1xCkGljzzbao0Mc+Ru3Xnfc8ziMjoX19a7PEpvLz659/rAHEUiWxad/AhIhY2y1tMa zrNH5j87M2CNVv8tZxELlI+QUiXm8qmGiqhpKoHuZhU+XC5zVS5RyT7NS7Mui2gUA0El cUoDo3V+no3/F54GQbMHJ3YaZoDtuceIVoCWe0+SoB0JC6k0VU/NXVgcAFd2B1phlyVt /tv+gqotDSRcvpF118R4SNY/7dpA0+l8mF4twopAgExv00ippXdHt3qYEq8b6CK8ZCXn ZNeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=W1t1Wrqoz1xV+C8UBDvrk9n+YYtWbaRGCZitbhhVXys=; b=hIUhKBLIK+RB9OuMEI28mYpqwViun0qGQTdrOIRnQJM7kOcEzihXQqHyHlyDfX36F1 Zt60PBDaD+gRBMfZ49lliJyumFmu1ae21Gqiqt9GBs+XOR1trJTC48QR88itkcovVuIw Q7C5gFLntlRdI0TRdCTjwGwY3vBfJUDgIpIbKomNT7aC9w4J0zSN/0G64C47BN+8d/Ui uWBTuDvmNgfEE36yug/LZwNO7wO8VfRkhhxNVicGwZUJRBXfoCSAC7I2WXZiTO75Bmag A+yluenPYXustaDQCfbJIArhM0zDkxSAu7PI8rI8NJTK4EFh6wsWezCjD/vNMz9GQo4X xUog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rQV7iuwd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id df16si6706761edb.158.2020.05.18.10.46.16; Mon, 18 May 2020 10:46:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rQV7iuwd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729582AbgERRn2 (ORCPT + 99 others); Mon, 18 May 2020 13:43:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:40958 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729567AbgERRnY (ORCPT ); Mon, 18 May 2020 13:43:24 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F246D20715; Mon, 18 May 2020 17:43:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589823803; bh=zyeyKeHzoQB4z3mEqUUGw7iDBKNzKrBvabHIzqeR+HI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rQV7iuwdUadOMyaJcGYp0TgUzKtSestv/llfF6vr9gIsGvyShKW9zHiO0ifkNCZBb /TCnnWMcQWWBFMlnWCw0+ZXSiPScmkKmj8+AJypJoDczLCi/6jiM9zISA07wIoJ6Om ak5FHKCkroJWuOr+ixWD3obQLGTTF0DIS1FwVq/E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Linus Torvalds , Guenter Roeck , Richard Kojedzinszky Subject: [PATCH 4.9 25/90] binfmt_elf: Do not move brk for INTERP-less ET_EXEC Date: Mon, 18 May 2020 19:36:03 +0200 Message-Id: <20200518173456.322832435@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173450.930655662@linuxfoundation.org> References: <20200518173450.930655662@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 upstream. When brk was moved for binaries without an interpreter, it should have been limited to ET_DYN only. In other words, the special case was an ET_DYN that lacks an INTERP, not just an executable that lacks INTERP. The bug manifested for giant static executables, where the brk would end up in the middle of the text area on 32-bit architectures. Reported-and-tested-by: Richard Kojedzinszky Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman --- fs/binfmt_elf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1107,7 +1107,8 @@ static int load_elf_binary(struct linux_ * (since it grows up, and may collide early with the stack * growing down), and into the unused ELF_ET_DYN_BASE region. */ - if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && !interpreter) + if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && + loc->elf_ex.e_type == ET_DYN && !interpreter) current->mm->brk = current->mm->start_brk = ELF_ET_DYN_BASE;