lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201211093255.GD24625@arm.com>
Date:   Fri, 11 Dec 2020 09:32:56 +0000
From:   Szabolcs Nagy <szabolcs.nagy@....com>
To:     Adhemerval Zanella <adhemerval.zanella@...aro.org>
Cc:     libc-alpha@...rceware.org, Mark Rutland <mark.rutland@....com>,
        kernel-hardening@...ts.openwall.com,
        Catalin Marinas <catalin.marinas@....com>,
        linux-kernel@...r.kernel.org,
        Jeremy Linton <jeremy.linton@....com>,
        Mark Brown <broonie@...nel.org>,
        Topi Miettinen <toiwoton@...il.com>,
        Will Deacon <will@...nel.org>,
        linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v2 3/6] elf: Fix failure handling in
 _dl_map_object_from_fd

The 12/10/2020 15:25, Adhemerval Zanella wrote:
> On 27/11/2020 10:20, Szabolcs Nagy via Libc-alpha wrote:
> > There are many failure paths that call lose to do local cleanups
> > in _dl_map_object_from_fd, but it did not clean everything.
> > 
> > Handle l_phdr, l_libname and mapped segments in the common failure
> > handling code.
> > 
> > There are various bits that may not be cleaned properly on failure
> > (e.g. executable stack, tlsid, incomplete dl_map_segments).
> > ---
> >  elf/dl-load.c | 24 +++++++++++++++---------
> >  1 file changed, 15 insertions(+), 9 deletions(-)
> > 
> > diff --git a/elf/dl-load.c b/elf/dl-load.c
> > index 21e55deb19..9c71b7562c 100644
> > --- a/elf/dl-load.c
> > +++ b/elf/dl-load.c
> > @@ -914,8 +914,15 @@ lose (int code, int fd, const char *name, char *realname, struct link_map *l,
> >    /* The file might already be closed.  */
> >    if (fd != -1)
> >      (void) __close_nocancel (fd);
> > +  if (l != NULL && l->l_map_start != 0)
> > +    _dl_unmap_segments (l);
> >    if (l != NULL && l->l_origin != (char *) -1l)
> >      free ((char *) l->l_origin);
> > +  if (l != NULL && !l->l_libname->dont_free)
> > +    free (l->l_libname);
> > +  if (l != NULL && l->l_phdr_allocated)
> > +    free ((void *) l->l_phdr);
> > +
> >    free (l);
> >    free (realname);
> >  
> > @@ -1256,7 +1263,11 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
> >      errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds,
> >  				  maplength, has_holes, loader);
> >      if (__glibc_unlikely (errstring != NULL))
> > -      goto call_lose;
> > +      {
> > +	/* Mappings can be in an inconsistent state: avoid unmap.  */
> > +	l->l_map_start = l->l_map_end = 0;
> > +	goto call_lose;
> > +      }
> >  
> >      /* Process program headers again after load segments are mapped in
> >         case processing requires accessing those segments.  Scan program
> 
> In this case I am failing to see who would be responsible to unmap 
> l_map_start int the type == ET_DYN where first mmap succeeds but
> with a later mmap failure in any load command.

failures are either cleaned up locally in this function
via lose or after a clean return via dlclose.

failures that are not cleaned up will leak resources.

_dl_map_segments failure is not cleaned up (the mappings
are in an unknown state). however after a successful
_dl_map_segments later failures can clean the mappings
and that's what i fixed here.

i did not try to fix transitive design bugs (such as
leaks in _dl_map_segments) that would require interface
change or local cleanups in those other functions.

> > @@ -1294,14 +1305,6 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
> >        || (__glibc_unlikely (l->l_flags_1 & DF_1_PIE)
> >  	  && __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0)))
> >      {
> > -      /* We are not supposed to load this object.  Free all resources.  */
> > -      _dl_unmap_segments (l);
> > -
> > -      if (!l->l_libname->dont_free)
> > -	free (l->l_libname);
> > -
> > -      if (l->l_phdr_allocated)
> > -	free ((void *) l->l_phdr);
> >  
> >        if (l->l_flags_1 & DF_1_PIE)
> >  	errstring
> > @@ -1392,6 +1395,9 @@ cannot enable executable stack as shared object requires");
> >    /* Signal that we closed the file.  */
> >    fd = -1;
> >  
> > +  /* Failures before this point are handled locally via lose.
> > +     No more failures are allowed in this function until return.  */
> > +
> >    /* If this is ET_EXEC, we should have loaded it as lt_executable.  */
> >    assert (type != ET_EXEC || l->l_type == lt_executable);
> >  
> > 
> 
> Ok.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ