| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20110929141929.43df799d.akpm00@gmail.com>
Date: Thu, 29 Sep 2011 14:19:29 -0700
From: Andrew Morton <akpm00@...il.com>
To: Josh Boyer <jwboyer@...hat.com>
Cc: Ingo Molnar <mingo@...e.hu>, Jiri Kosina <jkosina@...e.cz>,
hongjiu.lu@...el.com, linux-kernel@...r.kernel.org,
Nicolas Pitre <nico@...xnic.net>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Russell King <rmk@....linux.org.uk>
Subject: Re: [RFC PATCH] binfmt_elf: Fix PIE execution with randomization
disabled
On Thu, 29 Sep 2011 15:53:59 -0400
Josh Boyer <jwboyer@...hat.com> wrote:
> We've had a bug report[1] of some PIE programs getting a SIGKILL upon exec
> if you disable address randomization with:
>
> echo 0 > /proc/sys/kernel/randomize_va_space
>
> I tracked this down to get_unmapped_area_prot returning -ENOMEM because
> the address being passed in is larger than TASK_SIZE - len for the bss
> section of the test executable. That filters back to set_brk returning
> an error to load_elf_binary and the SIGKILL being sent around line 872
> of binfmt_elf.c.
>
> H.J. submitted an upstream bug report [2] as well, but got no feedback
> and we can't view it with kernel.org being down anyway. He came up with
> the patch below as well, which is what I'm sending on for comments. The
> changelog is my addition, so if that is wrong yell at me.
>
> I wanted to get some more eyes on this, because the current code sets
> load_bias to 0 unconditionally on CONFIG_X86 or CONFIG_ARM. I have no
> idea why that is. The original execshield patches had an #ifdef on
> __i386__ but the patch that was commited to add PIE support has the
> CONFIG_X86 setting.
>
It appears that Nicolas understood what's going on in there when he
wrote e4eab08d6050ad0 ("ARM: 6342/1: fix ASLR of PIE executables").
Alas, that patch's changelog is rather useless.
Help?
Also, please: review and test?
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=708563
> [2] http://bugzilla.kernel.org/show_bug.cgi?id=36372
>
> josh
>
> ---
>
> From: H.J. Lu <hongjiu.lu@...el.com>
>
> Set the load_bias for PIE executables to a non-zero address if no virtual
> address is specified. This prevents us from running out of room for all
> the various loadable segments when ASLR is disabled.
>
> Signed-off-by: H.J. Lu <hongjiu.lu@...el.com>
> Signed-off-by: Josh Boyer <jwboyer@...hat.com>
>
> ---
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 303983f..069ee29 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -794,9 +794,14 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
> /* Try and get dynamic programs out of the way of the
> * default mmap base, as well as whatever program they
> * might try to exec. This is because the brk will
> - * follow the loader, and is not movable. */
> + * follow the loader, and is not movable. Don't use
> + * 0 load address since we may not have room for
> + * all loadable segements. */
> #if defined(CONFIG_X86) || defined(CONFIG_ARM)
> - load_bias = 0;
> + if (vaddr)
> + load_bias = 0;
> + else
> + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE);
> #else
> load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
> #endif
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists