Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2940374ybk; Mon, 18 May 2020 11:37:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOm7L1mZDFMfxfukJIjokGgvD7SywFSQ/OWMtijpDolrsWyuvnjci2oqs6uaXoW5bc28zr X-Received: by 2002:a17:906:404a:: with SMTP id y10mr15881329ejj.130.1589827028821; Mon, 18 May 2020 11:37:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589827028; cv=none; d=google.com; s=arc-20160816; b=bTpsDLetdnhvHoBZK9lA1PYp3nv6J3X9NITjsDwm9QcJw3Yn9k8QhSz0i0iv+Z1d2f bCgUTs78IVhJxAjH0B/c+wSxwefu2ZEyorci17q6ouK58Z/SLLQr7eOCCnt5aOuAtBbJ J3MJbnRhUSUxEJwjY5n2s0j2ZbsbE3LirKk+rk/E6NjMTEJsgAKA7JlDRUhC+RPa//Tj LG5jIylRVhRUWV1U/+SwoIt1tJlb8riwUkyZ6YqwGkbXOPeuXqC9I9qdOHqJsvL32GiF 5IDeYsPzxw/yCvXu1KTWlLnm5kUMusDzK8MrbMXzU4SiFMjf6JIOcTfFxmMazqwIHwaq im/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=H1je3F9m+I4AlpeF5DfVUcW37QurbAlVWPRg3Bug52Q=; b=stm1OiuRff0WBZSWmb6s40Kjrf3wpqs/jvDcPitVceVNL++Lubk6a9leBhEPT/FroU 2qN7AVLLHFwssiMFi3Xhg6iYD2WqyEv36AISNK1WqXva34xC8aIN0cxMmC09ies9DkEt 0A3MY57rGvHoOT+MnIu206Fbe8LBJbnSB05vpf/0et5Qij+uF4eAfu6NMsn6IM2Is/xp dY2rdDpFwxEkpts1I1dqIHFAWh50Kcg1cVaWggI4V7iBuQNkxlOeleVYHFMKujWZQzzB tJsrUSeefyYGHeeu7xfqQoDawtXyhve4IspUyys+IzWobLaik73l/2HfNd+MPN5sEe9Z g+FQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yspssO0x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ob20si6695374ejb.401.2020.05.18.11.36.45; Mon, 18 May 2020 11:37:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yspssO0x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728626AbgERRiw (ORCPT + 99 others); Mon, 18 May 2020 13:38:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:33114 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728615AbgERRit (ORCPT ); Mon, 18 May 2020 13:38:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 494E020878; Mon, 18 May 2020 17:38:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589823528; bh=NYb8c7J1Gfowmxh8CILJGefXONSD55TVtFOevI5w1/U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yspssO0xEbYpC+8kHMgWJbbeI0iU9h0LKqDJgSlSbXmW2EpLYa8G7yfswLWS1p/n0 O61Qr9ptjF9Z7uQqOXO+1WNEJXMyMHkTYmEtXXjpbyrJ6JsiQ4A7m2WoZz1D4nr2OC FLhmMkGeC1JK95wi9Cpdj66sWk4t3ZYm2yOQE8l4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Linus Torvalds , Guenter Roeck , Richard Kojedzinszky Subject: [PATCH 4.4 19/86] binfmt_elf: Do not move brk for INTERP-less ET_EXEC Date: Mon, 18 May 2020 19:35:50 +0200 Message-Id: <20200518173454.352345138@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173450.254571947@linuxfoundation.org> References: <20200518173450.254571947@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 upstream. When brk was moved for binaries without an interpreter, it should have been limited to ET_DYN only. In other words, the special case was an ET_DYN that lacks an INTERP, not just an executable that lacks INTERP. The bug manifested for giant static executables, where the brk would end up in the middle of the text area on 32-bit architectures. Reported-and-tested-by: Richard Kojedzinszky Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman --- fs/binfmt_elf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1104,7 +1104,8 @@ static int load_elf_binary(struct linux_ * (since it grows up, and may collide early with the stack * growing down), and into the unused ELF_ET_DYN_BASE region. */ - if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && !interpreter) + if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && + loc->elf_ex.e_type == ET_DYN && !interpreter) current->mm->brk = current->mm->start_brk = ELF_ET_DYN_BASE;