| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110930021629.GL16720@zod.bos.redhat.com>
Date: Thu, 29 Sep 2011 22:16:29 -0400
From: Josh Boyer <jwboyer@...hat.com>
To: Nicolas Pitre <nicolas.pitre@...aro.org>
Cc: Andrew Morton <akpm00@...il.com>, Ingo Molnar <mingo@...e.hu>,
Jiri Kosina <jkosina@...e.cz>, hongjiu.lu@...el.com,
linux-kernel@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>,
Russell King <rmk@....linux.org.uk>
Subject: Re: [RFC PATCH] binfmt_elf: Fix PIE execution with randomization
disabled
On Thu, Sep 29, 2011 at 08:41:33PM -0400, Nicolas Pitre wrote:
> On Thu, 29 Sep 2011, Andrew Morton wrote:
>
> > On Thu, 29 Sep 2011 15:53:59 -0400
> > Josh Boyer <jwboyer@...hat.com> wrote:
> >
> > > We've had a bug report[1] of some PIE programs getting a SIGKILL upon exec
> > > if you disable address randomization with:
> > >
> > > echo 0 > /proc/sys/kernel/randomize_va_space
> > >
> > > I tracked this down to get_unmapped_area_prot returning -ENOMEM because
> > > the address being passed in is larger than TASK_SIZE - len for the bss
> > > section of the test executable. That filters back to set_brk returning
> > > an error to load_elf_binary and the SIGKILL being sent around line 872
> > > of binfmt_elf.c.
> > >
> > > H.J. submitted an upstream bug report [2] as well, but got no feedback
> > > and we can't view it with kernel.org being down anyway. He came up with
> > > the patch below as well, which is what I'm sending on for comments. The
> > > changelog is my addition, so if that is wrong yell at me.
> > >
> > > I wanted to get some more eyes on this, because the current code sets
> > > load_bias to 0 unconditionally on CONFIG_X86 or CONFIG_ARM. I have no
> > > idea why that is. The original execshield patches had an #ifdef on
> > > __i386__ but the patch that was commited to add PIE support has the
> > > CONFIG_X86 setting.
> > >
> >
> > It appears that Nicolas understood what's going on in there when he
> > wrote e4eab08d6050ad0 ("ARM: 6342/1: fix ASLR of PIE executables").
> > Alas, that patch's changelog is rather useless.
> >
> > Help?
>
> Well, in order to obtain randomization, the addr argument to elf_map()
> must be zero to eventually let arch_get_unmapped_area() do its job of
> selecting a random address.
Hm. But it doesn't do that if ASLR is disabled at runtime, so the
address causes issues?
> Since only X86 supported ASLR at the time, I simply did the same for ARM
> i.e. let load_bias be set to 0 so elf_map() would get a zero address.
So as of right now, only X86 and ARM support ASLR? Maybe we could
change the define to be more descriptive. Something like ARCH_HAS_ASLR?
> > Also, please: review and test?
> >
> > > #if defined(CONFIG_X86) || defined(CONFIG_ARM)
> > > - load_bias = 0;
> > > + if (vaddr)
> > > + load_bias = 0;
> > > + else
> > > + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE);
> > > #else
> > > load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
> > > #endif
>
> Simply looking at this patch, I don't see how the second argument to
> elf_map() called as follows could ever be zero anymore, effectively
> breaking ASLR.
Perhaps another check here for randomize? Something like:
#if defined(CONFIG_X86) || defined(CONFIG_ARM)
if (current->flags & PF_RANDOMIZE)
load_bias = 0;
else if (vaddr)
load_bias = 0;
else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE);
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
If that's stupid, then feel free to tell me. I won't pretend like I
understand what is going on here yet, but based on the explanation you
provided that might work.
josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists