Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp649731pxb; Tue, 5 Apr 2022 17:17:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwMQRL5wE6ZUfAnP2yt7NYJNKCsINGWAsR1yscfHaYxj99Fw/DxAGTT1WdSzTA5f7PCOLOP X-Received: by 2002:a65:5b43:0:b0:382:1f25:eaef with SMTP id y3-20020a655b43000000b003821f25eaefmr4904024pgr.590.1649204262682; Tue, 05 Apr 2022 17:17:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649204262; cv=none; d=google.com; s=arc-20160816; b=AxTxzznBVm6YQNVSzS+a6vEKr3Fdvm8uyoH9vtG6MjnJYaQKRCpM7M8PF13jq3wkRM CWu7eMISWAvyzQBi/T7uBJU46Hd2eeq2u7EjsPhLRjFCHKwDHS0xz1CWTMzHkZBaJgUk 4DhIb9yWTl+d6fFFRIQr6TBuWuzziBxifitb8hm8ACutloQDOxh6ukdTfayeiUWPlYPT 6/6QwaipH3aKQuZOiZQBJgISgRU13HH7avsZmwi1iAq0pdP4ki6eSb8YsPAMEt29BLcd VOXhPLqyOmqRAFtZOlgIWHalcSjizFYyZhk5jVsDI6q9fgUJ+QLuhi0CNvCjfsZBWsqO HzMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o4DfjIUU3MYBwDcSY5IXbeGmkpsJiiLmjOoBoxyPXs8=; b=YQJG7cbEkWTi71iacPHVL30j2L+a2xv3bgWXf8DiwutUsKfYRL/AMjdTXsj0P3Y+/3 9BBjgL9Y9hFOVYkHON7UXVzBKN7yE9PfiahC7Vpy6LSz7D9P4o/pi9rCadEmpkwpwniX k2Ame3rINCFqQD/pZjGEdNo9Cl64vI6a3CVfPuGh1bJ4EFwNb6tUJAHJw80Ofc9Uvs6r jfM5BwUfRE1sUQRTy2kCKp+ScEKcrppDXHbgPIem2FOk51BEnB0QC9Mu/GK4S8/4IP0W c1vG1qUtvqyoQzkgWFtsU7wJea8ZNDyRtm9aYAMuP0DtbcGAACHeM/FmJzqTWBo5iEQU 9UVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=J0bkmRrZ; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id hk15-20020a17090b224f00b001c72275b573si3868397pjb.173.2022.04.05.17.17.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 17:17:42 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=J0bkmRrZ; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC573DA0AA; Tue, 5 Apr 2022 17:02:07 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1389298AbiDEOoV (ORCPT + 99 others); Tue, 5 Apr 2022 10:44:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232709AbiDEJlM (ORCPT ); Tue, 5 Apr 2022 05:41:12 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 457C0BB096; Tue, 5 Apr 2022 02:25:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D44766165C; Tue, 5 Apr 2022 09:25:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DEE9CC385A0; Tue, 5 Apr 2022 09:25:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649150755; bh=xKN4tdAmdWfMVW0Q4IbJ3qKBQwoepPNQp7UqwNDTv4g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J0bkmRrZ5XTEdSIhqH7SPSIHNCETKx66t8OxJcoaq1IFtlYvwgBoygI3pYzzn9NPs 8Yu0gMk8WwMrq8TzIH4UegsLlgp6XldwHkGxkqMUvbHoeXgddloQkK6o+BZAIJi6Z3 y7xVUbEeMDWbunbh8Ry/L2Vx1WsOSADCp4MwPWuI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bill Messmer , Jann Horn , Kees Cook Subject: [PATCH 5.15 131/913] coredump: Also dump first pages of non-executable ELF libraries Date: Tue, 5 Apr 2022 09:19:53 +0200 Message-Id: <20220405070343.758405377@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070339.801210740@linuxfoundation.org> References: <20220405070339.801210740@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit 84158b7f6a0624b81800b4e7c90f7fb7fdecf66c upstream. When I rewrote the VMA dumping logic for coredumps, I changed it to recognize ELF library mappings based on the file being executable instead of the mapping having an ELF header. But turns out, distros ship many ELF libraries as non-executable, so the heuristic goes wrong... Restore the old behavior where FILTER(ELF_HEADERS) dumps the first page of any offset-0 readable mapping that starts with the ELF magic. This fix is technically layer-breaking a bit, because it checks for something ELF-specific in fs/coredump.c; but since we probably want to share this between standard ELF and FDPIC ELF anyway, I guess it's fine? And this also keeps the change small for backporting. Cc: stable@vger.kernel.org Fixes: 429a22e776a2 ("coredump: rework elf/elf_fdpic vma_dump_size() into common helper") Reported-by: Bill Messmer Signed-off-by: Jann Horn Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220126025739.2014888-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman --- fs/coredump.c | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) --- a/fs/coredump.c +++ b/fs/coredump.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include @@ -992,6 +993,8 @@ static bool always_dump_vma(struct vm_ar return false; } +#define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1 + /* * Decide how much of @vma's contents should be included in a core dump. */ @@ -1051,9 +1054,20 @@ static unsigned long vma_dump_size(struc * dump the first page to aid in determining what was mapped here. */ if (FILTER(ELF_HEADERS) && - vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ) && - (READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0) - return PAGE_SIZE; + vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) { + if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0) + return PAGE_SIZE; + + /* + * ELF libraries aren't always executable. + * We'll want to check whether the mapping starts with the ELF + * magic, but not now - we're holding the mmap lock, + * so copy_from_user() doesn't work here. + * Use a placeholder instead, and fix it up later in + * dump_vma_snapshot(). + */ + return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER; + } #undef FILTER @@ -1128,8 +1142,6 @@ int dump_vma_snapshot(struct coredump_pa m->end = vma->vm_end; m->flags = vma->vm_flags; m->dump_size = vma_dump_size(vma, cprm->mm_flags); - - vma_data_size += m->dump_size; } mmap_write_unlock(mm); @@ -1139,6 +1151,23 @@ int dump_vma_snapshot(struct coredump_pa return -EFAULT; } + for (i = 0; i < *vma_count; i++) { + struct core_vma_metadata *m = (*vma_meta) + i; + + if (m->dump_size == DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) { + char elfmag[SELFMAG]; + + if (copy_from_user(elfmag, (void __user *)m->start, SELFMAG) || + memcmp(elfmag, ELFMAG, SELFMAG) != 0) { + m->dump_size = 0; + } else { + m->dump_size = PAGE_SIZE; + } + } + + vma_data_size += m->dump_size; + } + *vma_data_size_ptr = vma_data_size; return 0; }