Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D40D6C433F5 for ; Mon, 13 Dec 2021 16:41:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240958AbhLMQlB (ORCPT ); Mon, 13 Dec 2021 11:41:01 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:50190 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240928AbhLMQk5 (ORCPT ); Mon, 13 Dec 2021 11:40:57 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]:52960) by out01.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mwoNj-007PXD-Gq; Mon, 13 Dec 2021 09:40:55 -0700 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95]:42090 helo=email.froward.int.ebiederm.org.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mwoNh-00BUaK-Kn; Mon, 13 Dec 2021 09:40:55 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: "H.J. Lu" Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Andrew Morton , Alexey Dobriyan References: <20211212204043.231568-1-hjl.tools@gmail.com> Date: Mon, 13 Dec 2021 10:40:47 -0600 In-Reply-To: <20211212204043.231568-1-hjl.tools@gmail.com> (H. J. Lu's message of "Sun, 12 Dec 2021 12:40:43 -0800") Message-ID: <87wnk8xxtc.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1mwoNh-00BUaK-Kn;;;mid=<87wnk8xxtc.fsf@email.froward.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19pbTH4z+6uLN0ot5gSwteXaqMMOjqQ5Pc= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v2] fs/binfmt_elf.c: disallow invalid entry point address X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org "H.J. Lu" writes: > On Linux, the start of the first PT_LOAD segment is the ELF header and > the address 0 points to the ELF magic bytes. Update the ELF loader to > disallow ELF binaries with entry point address smaller than the ELF > header size. I kind of get why that was suggested but there is most definitely no requirement for the program headers to be loaded let alone be at any particular virtual address. We could be talking about a static elf binary. > This fixes: > > https://bugzilla.kernel.org/show_bug.cgi?id=215303 > > Tested by booting Fedora 35 and running a shared library with invalid > entry point address: > > $ readelf -h load.so | grep "Entry point address:" > Entry point address: 0x4 > $ ./load.so > bash: ./load.so: cannot execute binary file: Exec format error > $ Is the point of this keeping shared libraries from executing? What is gained by this patch? Eric > Signed-off-by: H.J. Lu > --- > fs/binfmt_elf.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index bd78587194dc..7f035022131b 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -850,6 +850,8 @@ static int load_elf_binary(struct linux_binprm *bprm) > > if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN) > goto out; > + if (elf_ex->e_entry < sizeof(*elf_ex)) > + goto out; > if (!elf_check_arch(elf_ex)) > goto out; > if (elf_check_fdpic(elf_ex))