Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5271863pxb;
        Wed, 26 Jan 2022 08:20:28 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx1gIq47dDj2zu14X59TcP6bECwvQArHy4IfxQYwhPNgIBvbBZdIL/a2R7B4aJqhldgZqpX
X-Received: by 2002:a05:6402:490:: with SMTP id k16mr26226036edv.99.1643214027702;
        Wed, 26 Jan 2022 08:20:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643214027; cv=none;
        d=google.com; s=arc-20160816;
        b=NQoANK9j5lDnmWQ4TU8w80BlRxpMa07Ea7n32rxEI/x1XSplIWe1oH2oOeEoZIZO1O
         Nln83WVgmJKM9q/GfIqI2NhgGQgjgCsOMtRX1aZobiZtZr4KU2KEsFzRKGwlu3d7Oqjs
         0BxP9PElc6ocfpe3wBGmLQSXEuQKxWK+/E+1/F3OwymqRkSZN5vJ+2UKXQ/HZvcxclGG
         iHGWh3UAj7CjKUoUUTTn5eU17WLrCk6+dxWvUMWt21XJG57ZdhvRD214UJwciGK/BI+O
         BoFgC7gDe2tkcUeDILciMjVm4Q3mU+kiRGwE/GDdHEXNIxJfv81k4N7WdbdrpgQXLaL2
         gzkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=I3RC1pvj5eN/eY23rSAiJ3humqZ0lwYSWOtpC61NHQI=;
        b=aDC9LZbldp46grgEv0Ia+A61hrJOryIQrJw76Oj8yMTa15E3zYtVO+SoKyLdH2hYsP
         dnlyiMWJEnPWCy3ptePrBx479B63ZFhCi5VLLFnIvT6h6F5HsWLKm1H3O8HuYw61H8Ly
         m8v3e+hXAdtX3FWNQeLUrJBS1OHKXRdkOWRz+EGHy86URj3dGMFokGCTtn1/rd5TfX55
         ICuvWkHh9WP7vLqgq0/ewMneyzOT7Sk/DO/qhkNMBd//FwBqj/YoLFresIlRotgPus3Q
         ya+b/6mi+zHp0Xco+6Jjxw5iDH+pS2vZ6zctqMYDbNnOtHwJqVcjJziJrKap71ibqUoL
         cHNg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=jNTeFwL6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ds7si2216386ejc.603.2022.01.26.08.19.53;
        Wed, 26 Jan 2022 08:20:27 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=jNTeFwL6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236695AbiAZC6E (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Tue, 25 Jan 2022 21:58:04 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40098 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236678AbiAZC55 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Jan 2022 21:57:57 -0500
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7CA8C06173B
        for <linux-kernel@vger.kernel.org>; Tue, 25 Jan 2022 18:57:56 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id r2-20020a1c2b02000000b0034f7b261169so3250332wmr.2
        for <linux-kernel@vger.kernel.org>; Tue, 25 Jan 2022 18:57:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=I3RC1pvj5eN/eY23rSAiJ3humqZ0lwYSWOtpC61NHQI=;
        b=jNTeFwL67cZoQTfL3CTPUUXmJbZg+PHlJvFqPCm0VSiIy4Ozn/cx9HduX35l3iaCRd
         Zo+UDxBmr4tJC4w19s5OKN/VJxGN5IjAdBCs4+At9DRJ5GA+UZFeGElYc/4eGUeAizeX
         hZ1xjYN+Cf7Hb8VWADmJ3foDDldJgAtAWC1vn/drBnOWEdu7ev7wUoDWf2pYO2NDZRGa
         uBJg3mskxFEhifHLRnm494Lgux5MeV0i2UBE2cziBg2guvSj2CbmANfX5ZaVfCZtRmqG
         OXoVCnyOl72igibDQKEjwTgIh9bGwFkToE3bOPnznnNsxyeJJgcQYV19e4be+IYkAIo+
         OXPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=I3RC1pvj5eN/eY23rSAiJ3humqZ0lwYSWOtpC61NHQI=;
        b=WVuJRKC63ePIZ7iWiCBSyXvifhpf0fKpG2UCvTfCf/ldbTRDIDbagCDaCUNEFq9A3K
         8wOySXZlOmBpMYlNsWGdrg2eAM23conMlkYULLZQ+V7qJl1fLxgYkmU81AQdTyHGWytI
         e5GLQ7pOL7RaLOUIahEY/iV9dTBT+nCgP3/h/YPD5BDIzAmjf1sWpQbJMjWOlOQ2XcP4
         GChlfESxl0t3GYLuvzppYdULdIXKaUbyDpNgWn060KjzcSZD8GTYWDaWSaJIcqPEGs5r
         ApaB8F4VqH93GbbTxKIDNoQj8sPrNkkDj4XBTqBXNBmweRfbBip8b9zfrtqN4NgMiTG9
         oBbQ==
X-Gm-Message-State: AOAM533iyO0/9GWfagFduWPZqSJv/FQdq4Yt3fEhaYBsuYwcGUiieHa9
        VwWRj2DWqzxvzdoQYhk03OIxIg==
X-Received: by 2002:a05:600c:4101:: with SMTP id j1mr5355624wmi.28.1643165875272;
        Tue, 25 Jan 2022 18:57:55 -0800 (PST)
Received: from localhost ([2a02:168:96c5:1:55ed:514f:6ad7:5bcc])
        by smtp.gmail.com with ESMTPSA id y2sm1797168wmj.13.2022.01.25.18.57.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Jan 2022 18:57:54 -0800 (PST)
From:   Jann Horn <jannh@google.com>
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     linux-kernel@vger.kernel.org,
        Bill Messmer <wmessmer@microsoft.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Randy Dunlap <rdunlap@infradead.org>,
        Jann Horn <jannh@google.com>, stable@vger.kernel.org
Subject: [PATCH] coredump: Also dump first pages of non-executable ELF libraries
Date:   Wed, 26 Jan 2022 03:57:39 +0100
Message-Id: <20220126025739.2014888-1-jannh@google.com>
X-Mailer: git-send-email 2.35.0.rc0.227.g00780c9af4-goog
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When I rewrote the VMA dumping logic for coredumps, I changed it to
recognize ELF library mappings based on the file being executable instead
of the mapping having an ELF header. But turns out, distros ship many ELF
libraries as non-executable, so the heuristic goes wrong...

Restore the old behavior where FILTER(ELF_HEADERS) dumps the first page of
any offset-0 readable mapping that starts with the ELF magic.

This fix is technically layer-breaking a bit, because it checks for
something ELF-specific in fs/coredump.c; but since we probably want to
share this between standard ELF and FDPIC ELF anyway, I guess it's fine?
And this also keeps the change small for backporting.

Cc: stable@vger.kernel.org
Fixes: 429a22e776a2 ("coredump: rework elf/elf_fdpic vma_dump_size() into c=
ommon helper")
Reported-by: Bill Messmer <wmessmer@microsoft.com>
Signed-off-by: Jann Horn <jannh@google.com>
---

@Bill: If you happen to have a kernel tree lying around, you could give
this a try and report back whether this solves your issues?
But if not, it's also fine, I've tested myself that with this patch
applied, the first 0x1000 bytes of non-executable libraries are dumped
into the coredump according to "readelf".

 fs/coredump.c | 39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/fs/coredump.c b/fs/coredump.c
index 1c060c0a2d72..b73817712dd2 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -42,6 +42,7 @@
 #include <linux/path.h>
 #include <linux/timekeeping.h>
 #include <linux/sysctl.h>
+#include <linux/elf.h>
=20
 #include <linux/uaccess.h>
 #include <asm/mmu_context.h>
@@ -980,6 +981,8 @@ static bool always_dump_vma(struct vm_area_struct *vma)
 	return false;
 }
=20
+#define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1
+
 /*
  * Decide how much of @vma's contents should be included in a core dump.
  */
@@ -1039,9 +1042,20 @@ static unsigned long vma_dump_size(struct vm_area_st=
ruct *vma,
 	 * dump the first page to aid in determining what was mapped here.
 	 */
 	if (FILTER(ELF_HEADERS) &&
-	    vma->vm_pgoff =3D=3D 0 && (vma->vm_flags & VM_READ) &&
-	    (READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) !=3D 0)
-		return PAGE_SIZE;
+	    vma->vm_pgoff =3D=3D 0 && (vma->vm_flags & VM_READ)) {
+		if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) !=3D 0)
+			return PAGE_SIZE;
+
+		/*
+		 * ELF libraries aren't always executable.
+		 * We'll want to check whether the mapping starts with the ELF
+		 * magic, but not now - we're holding the mmap lock,
+		 * so copy_from_user() doesn't work here.
+		 * Use a placeholder instead, and fix it up later in
+		 * dump_vma_snapshot().
+		 */
+		return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER;
+	}
=20
 #undef	FILTER
=20
@@ -1116,8 +1130,6 @@ int dump_vma_snapshot(struct coredump_params *cprm, i=
nt *vma_count,
 		m->end =3D vma->vm_end;
 		m->flags =3D vma->vm_flags;
 		m->dump_size =3D vma_dump_size(vma, cprm->mm_flags);
-
-		vma_data_size +=3D m->dump_size;
 	}
=20
 	mmap_write_unlock(mm);
@@ -1127,6 +1139,23 @@ int dump_vma_snapshot(struct coredump_params *cprm, =
int *vma_count,
 		return -EFAULT;
 	}
=20
+	for (i =3D 0; i < *vma_count; i++) {
+		struct core_vma_metadata *m =3D (*vma_meta) + i;
+
+		if (m->dump_size =3D=3D DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) {
+			char elfmag[SELFMAG];
+
+			if (copy_from_user(elfmag, (void __user *)m->start, SELFMAG) ||
+					memcmp(elfmag, ELFMAG, SELFMAG) !=3D 0) {
+				m->dump_size =3D 0;
+			} else {
+				m->dump_size =3D PAGE_SIZE;
+			}
+		}
+
+		vma_data_size +=3D m->dump_size;
+	}
+
 	*vma_data_size_ptr =3D vma_data_size;
 	return 0;
 }

base-commit: 0280e3c58f92b2fe0e8fbbdf8d386449168de4a8
--=20
2.35.0.rc0.227.g00780c9af4-goog