lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110929195359.GJ16720@zod.bos.redhat.com>
Date:	Thu, 29 Sep 2011 15:53:59 -0400
From:	Josh Boyer <jwboyer@...hat.com>
To:	Ingo Molnar <mingo@...e.hu>, akpm@...ux-foundation.org,
	Jiri Kosina <jkosina@...e.cz>
Cc:	hongjiu.lu@...el.com, linux-kernel@...r.kernel.org
Subject: [RFC PATCH] binfmt_elf: Fix PIE execution with randomization disabled

We've had a bug report[1] of some PIE programs getting a SIGKILL upon exec
if you disable address randomization with:

	echo 0 > /proc/sys/kernel/randomize_va_space

I tracked this down to get_unmapped_area_prot returning -ENOMEM because
the address being passed in is larger than TASK_SIZE - len for the bss
section of the test executable.  That filters back to set_brk returning
an error to load_elf_binary and the SIGKILL being sent around line 872
of binfmt_elf.c.

H.J. submitted an upstream bug report [2] as well, but got no feedback
and we can't view it with kernel.org being down anyway.  He came up with
the patch below as well, which is what I'm sending on for comments.  The
changelog is my addition, so if that is wrong yell at me.

I wanted to get some more eyes on this, because the current code sets
load_bias to 0 unconditionally on CONFIG_X86 or CONFIG_ARM.  I have no
idea why that is.  The original execshield patches had an #ifdef on
__i386__ but the patch that was commited to add PIE support has the
CONFIG_X86 setting.

Thoughts welcome.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=708563
[2] http://bugzilla.kernel.org/show_bug.cgi?id=36372

josh

---

From: H.J. Lu <hongjiu.lu@...el.com>

Set the load_bias for PIE executables to a non-zero address if no virtual
address is specified.  This prevents us from running out of room for all
the various loadable segments when ASLR is disabled.

Signed-off-by: H.J. Lu <hongjiu.lu@...el.com>
Signed-off-by: Josh Boyer <jwboyer@...hat.com>

---

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 303983f..069ee29 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -794,9 +794,14 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
 			/* Try and get dynamic programs out of the way of the
 			 * default mmap base, as well as whatever program they
 			 * might try to exec.  This is because the brk will
-			 * follow the loader, and is not movable.  */
+			 * follow the loader, and is not movable.  Don't use
+			 * 0 load address since we may not have room for
+			 * all loadable segements.  */
 #if defined(CONFIG_X86) || defined(CONFIG_ARM)
-			load_bias = 0;
+			if (vaddr)
+				load_bias = 0;
+			else
+				load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE);
 #else
 			load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
 #endif

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ