| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210121221207.GB2174@grain>
Date: Fri, 22 Jan 2021 01:12:07 +0300
From: Cyrill Gorcunov <gorcunov@...il.com>
To: LKML <linux-kernel@...r.kernel.org>
Cc: Keno Fischer <keno@...iacomputing.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Dmitry Safonov <0x7f454c46@...il.com>,
Andrey Vagin <avagin@...il.com>,
Kirill Tkhai <ktkhai@...tuozzo.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: [PATCH] prctl: allow to setup brk for et_dyn executables
Keno Fischer reported that when a binray loaded via
ld-linux-x the prctl(PR_SET_MM_MAP) doesn't allow to
setup brk value because it lays before mm:end_data.
For example a test program shows
| # ~/t
|
| start_code 401000
| end_code 401a15
| start_stack 7ffce4577dd0
| start_data 403e10
| end_data 40408c
| start_brk b5b000
| sbrk(0) b5b000
and when executed via ld-linux
| # /lib64/ld-linux-x86-64.so.2 ~/t
|
| start_code 7fc25b0a4000
| end_code 7fc25b0c4524
| start_stack 7fffcc6b2400
| start_data 7fc25b0ce4c0
| end_data 7fc25b0cff98
| start_brk 55555710c000
| sbrk(0) 55555710c000
This of course prevent criu from restoring such programs.
Looking into how kernel operates with brk/start_brk inside
brk() syscall I don't see any problem if we allow to setup
brk/start_brk without checking for end_data. Even if someone
pass some weird address here on a purpose then the worst
possible result will be an unexpected unmapping of existing
vma (own vma, since prctl works with the callers memory) but
test for RLIMIT_DATA is still valid and a user won't be able
to gain more memory in case of expanding VMAs via new values
shipped with prctl call.
Reported-by: Keno Fischer <keno@...iacomputing.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com>
CC: Andrew Morton <akpm@...ux-foundation.org>
CC: Dmitry Safonov <0x7f454c46@...il.com>
CC: Andrey Vagin <avagin@...il.com>
CC: Kirill Tkhai <ktkhai@...tuozzo.com>
CC: Eric W. Biederman <ebiederm@...ssion.com>
---
Guys, take a look please once time permit. Hopefully I didn't
miss something 'cause made this patch via code reading only.
Andrey, do we still have a criu container which tests new kernels,
right? Would be great to run criu tests with this patch applied
to make sure everything is intact.
kernel/sys.c | 7 -------
1 file changed, 7 deletions(-)
Index: linux-tip.git/kernel/sys.c
===================================================================
--- linux-tip.git.orig/kernel/sys.c
+++ linux-tip.git/kernel/sys.c
@@ -1943,13 +1943,6 @@ static int validate_prctl_map_addr(struc
error = -EINVAL;
/*
- * @brk should be after @end_data in traditional maps.
- */
- if (prctl_map->start_brk <= prctl_map->end_data ||
- prctl_map->brk <= prctl_map->end_data)
- goto out;
-
- /*
* Neither we should allow to override limits if they set.
*/
if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk,
Powered by blists - more mailing lists