lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080213143701.GA21800@caradoc.them.org>
Date:	Wed, 13 Feb 2008 09:37:01 -0500
From:	Daniel Jacobowitz <dan@...ian.org>
To:	akpm@...ux-foundation.org
Cc:	mm-commits@...r.kernel.org, abelbg@...rp.com, hpa@...or.com,
	jkosina@...e.cz, roland@...hat.com, schwab@...e.de,
	stable@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: + elf-loader-crash-while-zero-filling-bss.patch added to -mm
	tree

On Wed, Feb 13, 2008 at 12:15:06AM -0800, akpm@...ux-foundation.org wrote:
> Subject: Elf loader crash while zero-filling .bss
> From: "Abel Bernabeu" <abelbg@...rp.com>
> 
> I've finally found a solution for the crash in load_binary_elf I
> reported last week:
> 
> http://lkml.org/lkml/2008/1/30/171
> 
> The attached patch solves my problem.
> 
> set_brk(start, end) allocs just page aligned regions (by "collapsing" both
> extremes to the start of the page in which they lay)...  That means than
> even if both pointers are not equal there are still some chances that
> set_brk has allocated no space at all because ELF_PAGEALIGN(elf_bss) ==	
> ELF_PAGEALIGN(elf_brk).
> 
> So the condition was not correct.

This patch is wrong.

ELF_PAGEALIGN rounds up to the end of the page, not down to the start
of the page.  If elf_bss is in the middle of a page, set_brk allocates
any additional pages after the one already allocated.  elf_bss is the
start of the area that needs to be zero initialized, elf_brk is its
end.  So if elf_bss != elf_brk then there's garbage mapped in BSS
from the file and if you don't clear it some of your zero-initialized
variables won't be zero initialized at all.

In the linked message, set_brk is passed elf_bss so its actual
arguments are set_brk (0xa3801, 0x000a4ec8).  It should map one
page.  0xa3801 should be an already mapped page, and clear_user should
succeed in clearing it.

-- 
Daniel Jacobowitz
CodeSourcery
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ