Received: by 10.223.164.202 with SMTP id h10csp4663270wrb; Wed, 29 Nov 2017 09:47:41 -0800 (PST) X-Google-Smtp-Source: AGs4zMaC+qYb8rhat3VSleskcqmoI8HFFkjV8O5+liiqLFW7pQXu3nsoRpP93Wp9tVzQPK+1txRX X-Received: by 10.99.178.77 with SMTP id t13mr3465329pgo.77.1511977661197; Wed, 29 Nov 2017 09:47:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511977661; cv=none; d=google.com; s=arc-20160816; b=WpgeAGQl5Z6lxuviZb8CJ0Si2bQEdl1kqgtd1C5QkpXtkpymQNTptu6EFAgJuCvAv7 BoKdEGgc4ZjdPmNWy7M4xfO1dgm7yDM9dYC1wlu684lIlgBoVLJVlVt4Zrd6eAiE8wzX 9EIq29RLnIga9uQFkq24Yszqg7Tpwggn7/1o1EMM+NnF1xYP+30qLsaRNaqfsUddUYHt nPjVi7NryJP6Ft8fx3lMoZ37GcWZH5j+TXZy1lCTfoxet0x13teHRjU+ixDYEQ9a51tk 9bolHqkh/TV6C3n8B+2YRxeROblKgLtBvrH5zbxWvkj8+W2FQiZZ0V/3WUEo9nWAn/qy HZDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject :arc-authentication-results; bh=FqaALg0N9m9If0TzwKCCkwHYDM1lW+JXjUyILURzJrs=; b=sgVbkjRScu0EGlBGdYJqYJWKdWPvIXulBegEcyromYoQmJ8yBiGfFSnygHiFxYr4oA 7xhOnMkTPkCHhg+RwBa8dBq15stlszp3BDM6if299ZulzFquuY4qmXPUT9LezeWbrbbT +t0EAlvlv37FF4gpK/DpyF2iDWqJc+YURLcV0EaPeMdiE5LdvOY6rMMVb4a5TW4FfwDh lpSiOqVLrz3K4CR3pA+9gY6DnqTuhCjvnDlLITh76p7ecQ5B43zGAZvYhqb5gCzCeFYI HndObGLDNm3JuWNOI3me51sXujEEk8YlkzUayNzE1x+04fkolO8JxY3/e4rQQSx8IGg+ emOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z13si1540479pgo.335.2017.11.29.09.47.30; Wed, 29 Nov 2017 09:47:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934867AbdK2Rq0 (ORCPT + 70 others); Wed, 29 Nov 2017 12:46:26 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:42054 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934070AbdK2RqW (ORCPT ); Wed, 29 Nov 2017 12:46:22 -0500 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vATHjpwR018021 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Nov 2017 17:45:51 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vATHjotY014841 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Nov 2017 17:45:50 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vATHjkpI019626; Wed, 29 Nov 2017 17:45:46 GMT Received: from [192.168.1.16] (/24.9.64.241) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 29 Nov 2017 09:45:46 -0800 Subject: Re: [PATCH 2/2] fs, elf: drop MAP_FIXED usage from elf_map To: Michal Hocko , linux-api@vger.kernel.org Cc: Michael Ellerman , Andrew Morton , Russell King - ARM Linux , Andrea Arcangeli , linux-mm@kvack.org, LKML , linux-arch@vger.kernel.org, Florian Weimer , John Hubbard , Michal Hocko , Abdul Haleem , Joel Stanley , Kees Cook References: <20171129144219.22867-1-mhocko@kernel.org> <20171129144219.22867-3-mhocko@kernel.org> From: Khalid Aziz Organization: Oracle Corp Message-ID: <93ce964b-e352-1905-c2b6-deedf2ea06f8@oracle.com> Date: Wed, 29 Nov 2017 10:45:43 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171129144219.22867-3-mhocko@kernel.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/29/2017 07:42 AM, Michal Hocko wrote: > From: Michal Hocko > > Both load_elf_interp and load_elf_binary rely on elf_map to map segments > on a controlled address and they use MAP_FIXED to enforce that. This is > however dangerous thing prone to silent data corruption which can be > even exploitable. Let's take CVE-2017-1000253 as an example. At the time > (before eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")) > ELF_ET_DYN_BASE was at TASK_SIZE / 3 * 2 which is not that far away from > the stack top on 32b (legacy) memory layout (only 1GB away). Therefore > we could end up mapping over the existing stack with some luck. > > The issue has been fixed since then (a87938b2e246 ("fs/binfmt_elf.c: > fix bug in loading of PIE binaries")), ELF_ET_DYN_BASE moved moved much > further from the stack (eab09532d400 and later by c715b72c1ba4 ("mm: > revert x86_64 and arm64 ELF_ET_DYN_BASE base changes")) and excessive > stack consumption early during execve fully stopped by da029c11e6b1 > ("exec: Limit arg stack to at most 75% of _STK_LIM"). So we should be > safe and any attack should be impractical. On the other hand this is > just too subtle assumption so it can break quite easily and hard to > spot. > > I believe that the MAP_FIXED usage in load_elf_binary (et. al) is still > fundamentally dangerous. Moreover it shouldn't be even needed. We are > at the early process stage and so there shouldn't be unrelated mappings > (except for stack and loader) existing so mmap for a given address > should succeed even without MAP_FIXED. Something is terribly wrong if > this is not the case and we should rather fail than silently corrupt the > underlying mapping. > > Address this issue by changing MAP_FIXED to the newly added > MAP_FIXED_SAFE. This will mean that mmap will fail if there is an > existing mapping clashing with the requested one without clobbering it. > > Cc: Abdul Haleem > Cc: Joel Stanley > Acked-by: Kees Cook > Signed-off-by: Michal Hocko > --- Reviewed-by: Khalid Aziz From 1585412000925815567@xxx Wed Nov 29 14:45:06 +0000 2017 X-GM-THRID: 1585412000925815567 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread