Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp3895422pxm; Tue, 1 Mar 2022 07:26:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJySHeSASG0+F+6j+AtBuz0rupkP2ypjPaY5tDk23u2us7rAUl3DddzP15kWl1Ke/rG3nNba X-Received: by 2002:a05:6402:23a1:b0:413:f930:b3c5 with SMTP id j33-20020a05640223a100b00413f930b3c5mr4477157eda.30.1646148364607; Tue, 01 Mar 2022 07:26:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646148364; cv=none; d=google.com; s=arc-20160816; b=FVgePgEAB+klh6Q8jf/6VeVFUzg5+pcaakuTQx9Sq/zfD4tLflPCadm/bMoISMo9J9 CXx6el1Jm9mjv/S+PLAd6bLUnTw18VFV9/IKjTHT4e+kocz/L1PpRDQNS9vrToo98yA7 xAqfsz/h0xZFp5fIzH2DFIXSOsoqr7+oqGisBeI3XN3abS1857temu9+cgfPq9CEh+1/ 40xUcFhQkTgcV3DzJhsBsSsds+dDbMDW6U+bbTReg9Xfe8soDXK69sUJphftlJRZ19Lg EUpCiGSh/49+8gmN7JeVPOg/ys5x8UXsEvva3eZmtMEr2G1D+qYAt0i2cIcy63HL+bmi 1k2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=77r24lIMhens/jfYqF/BfWUrccSyyEF9QG0+9zIjwhU=; b=WXRbG9rS+49j7iebZbsz1X0G0egw40uJL9hdyQ8xtADOEZV34rKKrvW3h54WV+v/OA sguBls3zNgE8g15oBQyJpqpYm5gjfKlCzrdzyJ0aRjptv97cqHGvZNlYVyDo9pF0ZWkI 3lNhqGj9zh3kvE/ApsW4LwB3vjfLGnIL13AJiARsvDdjWoHiSqK0DDBk7hBf5bL/E3Xh esOsVq3pWTmiVWcLvxq79VJeeETNrUB7j/bNip8Et0h4giEhgDRfnPh/ACd92VW5IDJ/ y0Enz80V9l5MD5nRjdjEGRR4wHhAlezyp3L69ddjeYTeMNRcm9aSrwkkbHXf8krN4wq8 am6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ky7-20020a170907778700b006cf9ccc9505si7949033ejc.40.2022.03.01.07.25.40; Tue, 01 Mar 2022 07:26:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233862AbiCAMhT (ORCPT + 99 others); Tue, 1 Mar 2022 07:37:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232437AbiCAMhR (ORCPT ); Tue, 1 Mar 2022 07:37:17 -0500 Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 983B697BBF; Tue, 1 Mar 2022 04:36:36 -0800 (PST) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.94) with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (envelope-from ) id 1nP1jk-003IcG-9v; Tue, 01 Mar 2022 13:36:16 +0100 Received: from suse-laptop.physik.fu-berlin.de ([160.45.32.140]) by inpost2.zedat.fu-berlin.de (Exim 4.94) with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (envelope-from ) id 1nP1jk-001HI7-3q; Tue, 01 Mar 2022 13:36:16 +0100 Message-ID: <49182d0d-708b-4029-da5f-bc18603440a6@physik.fu-berlin.de> Date: Tue, 1 Mar 2022 13:36:15 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Subject: Re: [PATCH 5.16 v2] binfmt_elf: Avoid total_mapping_size for ET_EXEC Content-Language: en-US To: Kees Cook , matoro Cc: Alexander Viro , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, stable@vger.kernel.org, =?UTF-8?Q?Magnus_Gro=c3=9f?= , Thorsten Leemhuis , Anthony Yznaga , Andrew Morton , regressions@lists.linux.dev, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org References: <20220228205518.1265798-1-keescook@chromium.org> From: John Paul Adrian Glaubitz In-Reply-To: <20220228205518.1265798-1-keescook@chromium.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Original-Sender: glaubitz@physik.fu-berlin.de X-Originating-IP: 160.45.32.140 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello! On 2/28/22 21:55, Kees Cook wrote: > Partially revert commit 5f501d555653 ("binfmt_elf: reintroduce using > MAP_FIXED_NOREPLACE"). > > At least ia64 has ET_EXEC PT_LOAD segments that are not virtual-address > contiguous (but _are_ file-offset contiguous). This would result in > giant mapping attempts to cover the entire span, including the virtual > address range hole. Disable total_mapping_size for ET_EXEC, which > reduces the MAP_FIXED_NOREPLACE coverage to only the first PT_LOAD: > > $ readelf -lW /usr/bin/gcc > ... > Program Headers: > Type Offset VirtAddr PhysAddr FileSiz MemSiz ... > ... > LOAD 0x000000 0x4000000000000000 0x4000000000000000 0x00b5a0 0x00b5a0 ... > LOAD 0x00b5a0 0x600000000000b5a0 0x600000000000b5a0 0x0005ac 0x000710 ... > ... > ^^^^^^^^ ^^^^^^^^^^^^^^^^^^ ^^^^^^^^ ^^^^^^^^ > > File offset range : 0x000000-0x00bb4c > 0x00bb4c bytes > > Virtual address range : 0x4000000000000000-0x600000000000bcb0 > 0x200000000000bcb0 bytes > > Ironically, this is the reverse of the problem that originally caused > problems with ET_EXEC and MAP_FIXED_NOREPLACE: overlaps. This problem is > with holes. Future work could restore full coverage if load_elf_binary() > were to perform mappings in a separate phase from the loading (where > it could resolve both overlaps and holes). > > Cc: Alexander Viro > Cc: Eric Biederman > Cc: linux-fsdevel@vger.kernel.org > Cc: linux-mm@kvack.org > Reported-by: matoro > Reported-by: John Paul Adrian Glaubitz > Fixes: 5f501d555653 ("binfmt_elf: reintroduce using MAP_FIXED_NOREPLACE") > Link: https://lore.kernel.org/r/a3edd529-c42d-3b09-135c-7e98a15b150f@leemhuis.info > Cc: stable@vger.kernel.org > Signed-off-by: Kees Cook > --- > Here's the v5.16 backport. > --- > fs/binfmt_elf.c | 25 ++++++++++++++++++------- > 1 file changed, 18 insertions(+), 7 deletions(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index f8c7f26f1fbb..911a9e7044f4 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -1135,14 +1135,25 @@ static int load_elf_binary(struct linux_binprm *bprm) > * is then page aligned. > */ > load_bias = ELF_PAGESTART(load_bias - vaddr); > - } > > - /* > - * Calculate the entire size of the ELF mapping (total_size). > - * (Note that load_addr_set is set to true later once the > - * initial mapping is performed.) > - */ > - if (!load_addr_set) { > + /* > + * Calculate the entire size of the ELF mapping > + * (total_size), used for the initial mapping, > + * due to first_pt_load which is set to false later > + * once the initial mapping is performed. > + * > + * Note that this is only sensible when the LOAD > + * segments are contiguous (or overlapping). If > + * used for LOADs that are far apart, this would > + * cause the holes between LOADs to be mapped, > + * running the risk of having the mapping fail, > + * as it would be larger than the ELF file itself. > + * > + * As a result, only ET_DYN does this, since > + * some ET_EXEC (e.g. ia64) may have virtual > + * memory holes between LOADs. > + * > + */ > total_size = total_mapping_size(elf_phdata, > elf_ex->e_phnum); > if (!total_size) { I can confirm that this patch fixes the issue for me. Tested-By: John Paul Adrian Glaubitz Thanks, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaubitz@debian.org `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913