Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp36971rdb; Fri, 29 Sep 2023 15:50:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHJcK3hqm8OTHocrrVPjHpS9ohFxqPLTFycaB1+VbEFIkhD+4gNixR0gPkYuNFm6q2HGpxy X-Received: by 2002:a05:6a20:3249:b0:161:afbc:c02f with SMTP id hm9-20020a056a20324900b00161afbcc02fmr5021888pzc.54.1696027839448; Fri, 29 Sep 2023 15:50:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696027839; cv=none; d=google.com; s=arc-20160816; b=Ol4Qk4iWlgiMUj1SxtffUJ/Pvo5DcWHJ8oFdHyXhpEU8DJ9MZ+YjlfigpSYKlyVRoi gHGM2m0Ea3IYom6VeaSX3ThZcC9Kp9vx/RY5mtJXKKo9td7EecGdM8v3lcLNdeNnNoCY VDRMVSWtvPmZr9WK7fMvvmW0rkSjUmeXce6oIiwf8+lV6vvPhbTl0dRcYxVFQfgkGcnF 2okB8MOGgvOwWO+Q5pAOyjyuPbHAiVLV0vd1ghVszcvYKrYD53mrrPjUq48iBoSVA3DZ BdGQLi7v9HqE2o2Qjid1Sai7Y/G7vLcQbUjlRRPcSbSKfvkFAQo7Z3W8+R+qe7dcqcRV JQ5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=WklKxHvJ4lWh9tljSeh/U+ySuT04KyfAmm6d+l7zSl4=; fh=P49wyMcCPciJnKm258ql3fYbIrD0rJ5hIbHtll9cPps=; b=UiRCmt5dNHPHKkCH55UJ16d2sHzGEeChSJTifKLrDfLIcEIZMXf9hWKJm7xeu5VDls 6za3nMb3aZmIW1W9ICPLbFSmEGEt+Nto8iYv3f3aaPl3cPHtNmjaMQZCNs7Tj6a3rmXM SVbVL6We82iqXuAY00J2BQkI7+lH4MChPXVjATNO/OqcMVy+n1KO/1bazlxgX/icAdMY uNegOQDE+OSsO55w6weGFLsZoM22BJ+SNqCmiGik0mTNRkb5dxvWFuaIjhw38SkwPric xGu52sNQgWcAd/5kqciC4F2sOqWLmCE4ul7ePGR8YBLTQnWjogIZ7Mu/zJzEdo062Kg2 ZQoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CK3fGtVS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id n13-20020a65488d000000b00578a28df3e2si22495600pgs.816.2023.09.29.15.50.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Sep 2023 15:50:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CK3fGtVS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 7799E802093E; Fri, 29 Sep 2023 05:07:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233151AbjI2MGx (ORCPT + 99 others); Fri, 29 Sep 2023 08:06:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233038AbjI2MGw (ORCPT ); Fri, 29 Sep 2023 08:06:52 -0400 Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76E52193; Fri, 29 Sep 2023 05:06:50 -0700 (PDT) Received: by mail-ua1-x932.google.com with SMTP id a1e0cc1a2514c-7ae12c28776so2411162241.0; Fri, 29 Sep 2023 05:06:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695989209; x=1696594009; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=WklKxHvJ4lWh9tljSeh/U+ySuT04KyfAmm6d+l7zSl4=; b=CK3fGtVS2+Ej5iStNIV6ZP21iddjgppxLiPbxk76P1AtfGsOdzKwq9QkKJM5bpxl4d RH1DdnaW/wOUbi+kRMci6awoEA8PRSGrY+qfPCVx0I4qGEq5IXv+9+v1Sl6vEiTC0K0V 4r8g9gnvNRMxPBoyrSGRUQmyqAvDHuchyVOf7cVeK5Q2jIf60oa6jpx7zIxz6lo3EeZH BFR5OEBInl/0Zll3XpY0qTfBsIgf9x54h0iN8qkDxm/Is4STI2Gj31P4r+u/qseiGwYi /i93DhOrrLOwz/brccRGyfQ2sWBZNyVtR0VQCefim4wsEczs3Lzit+bNJYR9BMZlj9xD j0oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695989209; x=1696594009; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WklKxHvJ4lWh9tljSeh/U+ySuT04KyfAmm6d+l7zSl4=; b=ABexkTOccNVmmzRwPjC+CXP1xc1J5Hw+JvjgmyZBpMymHLCbUZp3xrodw4tRdMNb40 9bNmGc37AoIHLwQPkSoUOEofWxVtw/u0q/QU9ZNHifhLxP/NoA/SfjnvuYcrWToD42p5 TkYn82ngoz2W90NcITDHEYmFNooFAV3bM7u8y+YEnZgsUfSN5ADVG4E0inylr3OJEIF6 Da8FpnWM7f14+9gK7zAboozx46uBLPsgmJq/hsWU5vDDbNxz71UqojiVnjnjz4/sJrJ2 qjdg02sWjJca7IdY5JXRJQvG94lzplpogZzfrorJR7UICZkqfxkLxgI5v7zZjY2NFaKe ZzKA== X-Gm-Message-State: AOJu0YyNsa/KDKEzqJSU2GYecSJ+BmAgEeIaJJKxLzQhAgo4gOx5CX5s mr0L60NtRTxySkAZ1o6thUecfk5XT6ffmohBDTc= X-Received: by 2002:a05:6102:d4:b0:452:94b8:2fe9 with SMTP id u20-20020a05610200d400b0045294b82fe9mr2992035vsp.21.1695989209499; Fri, 29 Sep 2023 05:06:49 -0700 (PDT) MIME-Version: 1.0 References: <20230929031716.it.155-kees@kernel.org> <20230929032435.2391507-1-keescook@chromium.org> In-Reply-To: <20230929032435.2391507-1-keescook@chromium.org> From: Pedro Falcato Date: Fri, 29 Sep 2023 13:06:38 +0100 Message-ID: Subject: Re: [PATCH v4 1/6] binfmt_elf: Support segments with 0 filesz and misaligned starts To: Kees Cook Cc: Eric Biederman , Sebastian Ott , =?UTF-8?Q?Thomas_Wei=C3=9Fschuh?= , Al Viro , Christian Brauner , Andrew Morton , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Fri, 29 Sep 2023 05:07:04 -0700 (PDT) On Fri, Sep 29, 2023 at 4:24=E2=80=AFAM Kees Cook w= rote: > > From: "Eric W. Biederman" > > Implement a helper elf_load() that wraps elf_map() and performs all > of the necessary work to ensure that when "memsz > filesz" the bytes > described by "memsz > filesz" are zeroed. > > An outstanding issue is if the first segment has filesz 0, and has a > randomized location. But that is the same as today. > > In this change I replaced an open coded padzero() that did not clear > all of the way to the end of the page, with padzero() that does. > > I also stopped checking the return of padzero() as there is at least > one known case where testing for failure is the wrong thing to do. > It looks like binfmt_elf_fdpic may have the proper set of tests > for when error handling can be safely completed. > > I found a couple of commits in the old history > https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git, > that look very interesting in understanding this code. > > commit 39b56d902bf3 ("[PATCH] binfmt_elf: clearing bss may fail") > commit c6e2227e4a3e ("[SPARC64]: Missing user access return value checks = in fs/binfmt_elf.c and fs/compat.c") > commit 5bf3be033f50 ("v2.4.10.1 -> v2.4.10.2") > > Looking at commit 39b56d902bf3 ("[PATCH] binfmt_elf: clearing bss may fai= l"): > > commit 39b56d902bf35241e7cba6cc30b828ed937175ad > > Author: Pavel Machek > > Date: Wed Feb 9 22:40:30 2005 -0800 > > > > [PATCH] binfmt_elf: clearing bss may fail > > > > So we discover that Borland's Kylix application builder emits weird= elf > > files which describe a non-writeable bss segment. > > > > So remove the clear_user() check at the place where we zero out the= bss. I > > don't _think_ there are any security implications here (plus we've = never > > checked that clear_user() return value, so whoops if it is a proble= m). > > > > Signed-off-by: Pavel Machek > > Signed-off-by: Andrew Morton > > Signed-off-by: Linus Torvalds > > It seems pretty clear that binfmt_elf_fdpic with skipping clear_user() fo= r > non-writable segments and otherwise calling clear_user(), aka padzero(), > and checking it's return code is the right thing to do. > > I just skipped the error checking as that avoids breaking things. > > And notably, it looks like Borland's Kylix died in 2005 so it might be > safe to just consider read-only segments with memsz > filesz an error. > > Reported-by: Sebastian Ott > Reported-by: Thomas Wei=C3=9Fschuh > Closes: https://lkml.kernel.org/r/20230914-bss-alloc-v1-1-78de67d2c6dd@we= issschuh.net > Signed-off-by: "Eric W. Biederman" > Link: https://lore.kernel.org/r/87sf71f123.fsf@email.froward.int.ebiederm= .org > Signed-off-by: Kees Cook > --- > fs/binfmt_elf.c | 111 +++++++++++++++++++++--------------------------- > 1 file changed, 48 insertions(+), 63 deletions(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index 7b3d2d491407..2a615f476e44 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -110,25 +110,6 @@ static struct linux_binfmt elf_format =3D { > > #define BAD_ADDR(x) (unlikely((unsigned long)(x) >=3D TASK_SIZE)) > > -static int set_brk(unsigned long start, unsigned long end, int prot) > -{ > - start =3D ELF_PAGEALIGN(start); > - end =3D ELF_PAGEALIGN(end); > - if (end > start) { > - /* > - * Map the last of the bss segment. > - * If the header is requesting these pages to be > - * executable, honour that (ppc32 needs this). > - */ > - int error =3D vm_brk_flags(start, end - start, > - prot & PROT_EXEC ? VM_EXEC : 0); > - if (error) > - return error; > - } > - current->mm->start_brk =3D current->mm->brk =3D end; > - return 0; > -} > - > /* We need to explicitly zero any fractional pages > after the data section (i.e. bss). This would > contain the junk from the file that should not > @@ -406,6 +387,51 @@ static unsigned long elf_map(struct file *filep, uns= igned long addr, > return(map_addr); > } > > +static unsigned long elf_load(struct file *filep, unsigned long addr, > + const struct elf_phdr *eppnt, int prot, int type, > + unsigned long total_size) > +{ > + unsigned long zero_start, zero_end; > + unsigned long map_addr; > + > + if (eppnt->p_filesz) { > + map_addr =3D elf_map(filep, addr, eppnt, prot, type, tota= l_size); > + if (BAD_ADDR(map_addr)) > + return map_addr; > + if (eppnt->p_memsz > eppnt->p_filesz) { > + zero_start =3D map_addr + ELF_PAGEOFFSET(eppnt->p= _vaddr) + > + eppnt->p_filesz; > + zero_end =3D map_addr + ELF_PAGEOFFSET(eppnt->p_v= addr) + > + eppnt->p_memsz; > + > + /* Zero the end of the last mapped page */ > + padzero(zero_start); > + } > + } else { > + map_addr =3D zero_start =3D ELF_PAGESTART(addr); > + zero_end =3D zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) = + > + eppnt->p_memsz; What happens if a previous segment has mapped ELF_PAGESTART(addr)? Don't we risk mapping over that? Whereas AFAIK old logic would just padzero the bss bytes. --=20 Pedro