Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp4068837pxb; Mon, 4 Oct 2021 16:42:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0Z3tisCKURWmzJ85M/fVtP7THcgMNa6PKjLd2Csbxy1FcC+bBP4Q7At/BnWyeB9jw+xgs X-Received: by 2002:a17:906:3745:: with SMTP id e5mr20432515ejc.400.1633390956728; Mon, 04 Oct 2021 16:42:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633390956; cv=none; d=google.com; s=arc-20160816; b=rDIdqWEwGF8+eSaUHfiPwObNbM4Fdy33b0ySsUutxOv9EA830GLdHAm1NekUDiGmJj v35iYyv6vCCExDdx55OOuMjJutHD1HXK6/1XXSjmZ9slCos3VgzMduKlpx1PyuQKjSRS /YDGRITL5pMnXIyFsjKOm+N7nXn3vwDPpUTS1EXAXVnewNXJJoQ70mwFB4rja2AOWrHG UAivbKhgefm1IJKOEw0jYjC8IbAxsTT3eZGare7P5jWqoR4yQSOJr3zPjn+R0FRLNXxZ /mORiYG0kbvcECK/Rm+ztNfxC6O7sfO2H4QL07fsdC8nWJA9kS6GJffckAZgkbRT0p5q DJRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=d6Gq2wxjvSc42T6HpCo3o9gtXEpVvUYCVOoy839gL24=; b=0Nz5pu2SXoHfq5+upQdxesgb8qpFLhYOyYwySm5bb+AJhKOzaTOEyZGBSjVdutDpsh zGt5SUkQ8DUntTvPfNj+XeJ6LpYXHJSXuM10+85pHFgOQoltvAhJpt67GJIb3VF8L/wi v0tBaojF+CVdqO29JLHswtxbK0Q8biVXvHnLlgDURHYCxTsavnFNyrGnYICTWS9eDCho aboRg+P91sP870IbU/BLZr1vBnHd+KzuLK0LRbKySVnSnfpv2pzsRkrFqX2ulgga7aJP rEjIK0YkWqZUkzxMo9X+sMs5Ml7GrpWgrrbzH9B2jHyUwvf+wjalhnqHCP6lX4ixOEBH b8Ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Q29MVoEb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 24si19119002ejg.618.2021.10.04.16.42.12; Mon, 04 Oct 2021 16:42:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Q29MVoEb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235469AbhJDUB7 (ORCPT + 99 others); Mon, 4 Oct 2021 16:01:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44206 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235313AbhJDUB6 (ORCPT ); Mon, 4 Oct 2021 16:01:58 -0400 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3926C061749 for ; Mon, 4 Oct 2021 13:00:08 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id 133so17645082pgb.1 for ; Mon, 04 Oct 2021 13:00:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=d6Gq2wxjvSc42T6HpCo3o9gtXEpVvUYCVOoy839gL24=; b=Q29MVoEbK058uA4FsGGNoPe+IOo7qmxdWzqpwz6WQd9MZ9CL78KY7ipweYpC5KArK4 NbKLZGcLMUfO6LkqrmVXaVxPnMZIAjsmQ/AXuNQusOC9b3ycPTZAEnhLKqcrBDb2QcBR 6bgRBMdrZfDvxMDI0/0ObsuJjy6KM8sDJtXsY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=d6Gq2wxjvSc42T6HpCo3o9gtXEpVvUYCVOoy839gL24=; b=i3N6pW4HSqMoL2bAfE+I22I++j1ybgc08HlG0UV5g0v6wT4UJUX093IFLD/gaPOawA AgwQV3lhqv3XHzVrQn7nfW3bTPgGqZQSNmkTgD4R2KoBIhT2iJQRHqy5z80dZFqyp2bA 0iegLDsZVi7JlDDFf+19sHG7rWwWfLnbtcjcuwc6VnokgqjWwSI4eSGQIneym0IO4pMX pu/m6lH83Vd+WvaXyD/VPX6jXDAYGKoRBWTu05Zs4U39DOqenu5P4/fgN8NrEWSacxk1 SbjYLJowLmK/ZiQ+FA2ZBsjSRuLtMow3SZjk+EUh883MT8V5kQQD7qu86u7neFwg8LNu gjWQ== X-Gm-Message-State: AOAM531c6/Wou1Cp525VlvbEmGstszp6sTPydKNoO9qZoWmbqXwEbV8S zW+f5P7c22ogPAxESHTOzKUeBg== X-Received: by 2002:a05:6a00:2d0:b0:446:d18c:9aac with SMTP id b16-20020a056a0002d000b00446d18c9aacmr26961304pft.16.1633377608295; Mon, 04 Oct 2021 13:00:08 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t6sm15398944pfh.63.2021.10.04.13.00.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Oct 2021 13:00:07 -0700 (PDT) Date: Mon, 4 Oct 2021 13:00:07 -0700 From: Kees Cook To: Chen Jingwen Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Alexander Viro , Michal Hocko , Andrei Vagin , Khalid Aziz , Michael Ellerman , Andrew Morton , Linus Torvalds Subject: Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings Message-ID: <202110041255.83A6616D9@keescook> References: <20210928125657.153293-1-chenjingwen6@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210928125657.153293-1-chenjingwen6@huawei.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 28, 2021 at 08:56:57PM +0800, Chen Jingwen wrote: > In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings") > we still leave MAP_FIXED_NOREPLACE in place for load_elf_interp. > Unfortunately, this will cause kernel to fail to start with > > [ 2.384321] 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already > [ 2.386240] Failed to execute /init (error -17) > I guess you mean "init" fails to start (but yes, same result). > The reason is that the elf interpreter (ld.so) has overlapping segments. Ewww. What toolchain generated this (and what caused it to just start happening)? (This was added in v4.17; it's been 3 years.) > > readelf -l ld-2.31.so > Program Headers: > Type Offset VirtAddr PhysAddr > FileSiz MemSiz Flags Align > LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 > 0x000000000002c94c 0x000000000002c94c R E 0x10000 > LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0 > 0x00000000000021e8 0x0000000000002320 RW 0x10000 > LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00 > 0x00000000000011ac 0x0000000000001328 RW 0x10000 > > The reason for this problem is the same as described in > commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments"). > Not only executable binaries, elf interpreters (e.g. ld.so) can have > overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go > back to MAP_FIXED in load_elf_interp. We could also just expand the logic that fixed[1] this for ELF, yes? Andrew, are you able to pick up [1], BTW? It seems to have fallen through the cracks. [1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u > > Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") > Cc: # v4.19 > Signed-off-by: Chen Jingwen > --- > fs/binfmt_elf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index 69d900a8473d..a813b70f594e 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -630,7 +630,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, > > vaddr = eppnt->p_vaddr; > if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) > - elf_type |= MAP_FIXED_NOREPLACE; > + elf_type |= MAP_FIXED; > else if (no_base && interp_elf_ex->e_type == ET_DYN) > load_addr = -vaddr; -- Kees Cook