Received: by 10.223.164.202 with SMTP id h10csp4663270wrb;
        Wed, 29 Nov 2017 09:47:41 -0800 (PST)
X-Google-Smtp-Source: AGs4zMaC+qYb8rhat3VSleskcqmoI8HFFkjV8O5+liiqLFW7pQXu3nsoRpP93Wp9tVzQPK+1txRX
X-Received: by 10.99.178.77 with SMTP id t13mr3465329pgo.77.1511977661197;
        Wed, 29 Nov 2017 09:47:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511977661; cv=none;
        d=google.com; s=arc-20160816;
        b=WpgeAGQl5Z6lxuviZb8CJ0Si2bQEdl1kqgtd1C5QkpXtkpymQNTptu6EFAgJuCvAv7
         BoKdEGgc4ZjdPmNWy7M4xfO1dgm7yDM9dYC1wlu684lIlgBoVLJVlVt4Zrd6eAiE8wzX
         9EIq29RLnIga9uQFkq24Yszqg7Tpwggn7/1o1EMM+NnF1xYP+30qLsaRNaqfsUddUYHt
         nPjVi7NryJP6Ft8fx3lMoZ37GcWZH5j+TXZy1lCTfoxet0x13teHRjU+ixDYEQ9a51tk
         9bolHqkh/TV6C3n8B+2YRxeROblKgLtBvrH5zbxWvkj8+W2FQiZZ0V/3WUEo9nWAn/qy
         HZDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:organization:from:references:cc:to:subject
         :arc-authentication-results;
        bh=FqaALg0N9m9If0TzwKCCkwHYDM1lW+JXjUyILURzJrs=;
        b=sgVbkjRScu0EGlBGdYJqYJWKdWPvIXulBegEcyromYoQmJ8yBiGfFSnygHiFxYr4oA
         7xhOnMkTPkCHhg+RwBa8dBq15stlszp3BDM6if299ZulzFquuY4qmXPUT9LezeWbrbbT
         +t0EAlvlv37FF4gpK/DpyF2iDWqJc+YURLcV0EaPeMdiE5LdvOY6rMMVb4a5TW4FfwDh
         lpSiOqVLrz3K4CR3pA+9gY6DnqTuhCjvnDlLITh76p7ecQ5B43zGAZvYhqb5gCzCeFYI
         HndObGLDNm3JuWNOI3me51sXujEEk8YlkzUayNzE1x+04fkolO8JxY3/e4rQQSx8IGg+
         emOw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z13si1540479pgo.335.2017.11.29.09.47.30;
        Wed, 29 Nov 2017 09:47:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934867AbdK2Rq0 (ORCPT <rfc822;c14006078@gmail.com> + 70 others);
        Wed, 29 Nov 2017 12:46:26 -0500
Received: from aserp1040.oracle.com ([141.146.126.69]:42054 "EHLO
        aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934070AbdK2RqW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 12:46:22 -0500
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71])
        by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vATHjpwR018021
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Nov 2017 17:45:51 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vATHjotY014841
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Nov 2017 17:45:50 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vATHjkpI019626;
        Wed, 29 Nov 2017 17:45:46 GMT
Received: from [192.168.1.16] (/24.9.64.241)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 29 Nov 2017 09:45:46 -0800
Subject: Re: [PATCH 2/2] fs, elf: drop MAP_FIXED usage from elf_map
To:     Michal Hocko <mhocko@kernel.org>, linux-api@vger.kernel.org
Cc:     Michael Ellerman <mpe@ellerman.id.au>,
        Andrew Morton <akpm@linux-foundation.org>,
        Russell King - ARM Linux <linux@armlinux.org.uk>,
        Andrea Arcangeli <aarcange@redhat.com>, linux-mm@kvack.org,
        LKML <linux-kernel@vger.kernel.org>, linux-arch@vger.kernel.org,
        Florian Weimer <fweimer@redhat.com>,
        John Hubbard <jhubbard@nvidia.com>,
        Michal Hocko <mhocko@suse.com>,
        Abdul Haleem <abdhalee@linux.vnet.ibm.com>,
        Joel Stanley <joel@jms.id.au>,
        Kees Cook <keescook@chromium.org>
References: <20171129144219.22867-1-mhocko@kernel.org>
 <20171129144219.22867-3-mhocko@kernel.org>
From:   Khalid Aziz <khalid.aziz@oracle.com>
Organization: Oracle Corp
Message-ID: <93ce964b-e352-1905-c2b6-deedf2ea06f8@oracle.com>
Date:   Wed, 29 Nov 2017 10:45:43 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171129144219.22867-3-mhocko@kernel.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 11/29/2017 07:42 AM, Michal Hocko wrote:
> From: Michal Hocko <mhocko@suse.com>
> 
> Both load_elf_interp and load_elf_binary rely on elf_map to map segments
> on a controlled address and they use MAP_FIXED to enforce that. This is
> however dangerous thing prone to silent data corruption which can be
> even exploitable. Let's take CVE-2017-1000253 as an example. At the time
> (before eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE"))
> ELF_ET_DYN_BASE was at TASK_SIZE / 3 * 2 which is not that far away from
> the stack top on 32b (legacy) memory layout (only 1GB away). Therefore
> we could end up mapping over the existing stack with some luck.
> 
> The issue has been fixed since then (a87938b2e246 ("fs/binfmt_elf.c:
> fix bug in loading of PIE binaries")), ELF_ET_DYN_BASE moved moved much
> further from the stack (eab09532d400 and later by c715b72c1ba4 ("mm:
> revert x86_64 and arm64 ELF_ET_DYN_BASE base changes")) and excessive
> stack consumption early during execve fully stopped by da029c11e6b1
> ("exec: Limit arg stack to at most 75% of _STK_LIM"). So we should be
> safe and any attack should be impractical. On the other hand this is
> just too subtle assumption so it can break quite easily and hard to
> spot.
> 
> I believe that the MAP_FIXED usage in load_elf_binary (et. al) is still
> fundamentally dangerous. Moreover it shouldn't be even needed. We are
> at the early process stage and so there shouldn't be unrelated mappings
> (except for stack and loader) existing so mmap for a given address
> should succeed even without MAP_FIXED. Something is terribly wrong if
> this is not the case and we should rather fail than silently corrupt the
> underlying mapping.
> 
> Address this issue by changing MAP_FIXED to the newly added
> MAP_FIXED_SAFE. This will mean that mmap will fail if there is an
> existing mapping clashing with the requested one without clobbering it.
> 
> Cc: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
> Cc: Joel Stanley <joel@jms.id.au>
> Acked-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Michal Hocko <mhocko@suse.com>
> ---

Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>


From 1585412000925815567@xxx Wed Nov 29 14:45:06 +0000 2017
X-GM-THRID: 1585412000925815567
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread