| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Sep 2021 14:44:04 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Cyrill Gorcunov <gorcunov@...il.com>,
Keno Fischer <keno@...iacomputing.com>,
Andrey Vagin <avagin@...il.com>,
Dmitry Safonov <0x7f454c46@...il.com>,
Kirill Tkhai <ktkhai@...tuozzo.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Pavel Tikhomirov <ptikhomirov@...tuozzo.com>,
Alexander Mikhalitsyn <alexander.mikhalitsyn@...tuozzo.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [PATCH 4.14 10/27] prctl: allow to setup brk for et_dyn executables
From: Cyrill Gorcunov <gorcunov@...il.com>
commit e1fbbd073137a9d63279f6bf363151a938347640 upstream.
Keno Fischer reported that when a binray loaded via ld-linux-x the
prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays
before mm:end_data.
For example a test program shows
| # ~/t
|
| start_code 401000
| end_code 401a15
| start_stack 7ffce4577dd0
| start_data 403e10
| end_data 40408c
| start_brk b5b000
| sbrk(0) b5b000
and when executed via ld-linux
| # /lib64/ld-linux-x86-64.so.2 ~/t
|
| start_code 7fc25b0a4000
| end_code 7fc25b0c4524
| start_stack 7fffcc6b2400
| start_data 7fc25b0ce4c0
| end_data 7fc25b0cff98
| start_brk 55555710c000
| sbrk(0) 55555710c000
This of course prevent criu from restoring such programs. Looking into
how kernel operates with brk/start_brk inside brk() syscall I don't see
any problem if we allow to setup brk/start_brk without checking for
end_data. Even if someone pass some weird address here on a purpose then
the worst possible result will be an unexpected unmapping of existing vma
(own vma, since prctl works with the callers memory) but test for
RLIMIT_DATA is still valid and a user won't be able to gain more memory in
case of expanding VMAs via new values shipped with prctl call.
Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain
Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com>
Reported-by: Keno Fischer <keno@...iacomputing.com>
Acked-by: Andrey Vagin <avagin@...il.com>
Tested-by: Andrey Vagin <avagin@...il.com>
Cc: Dmitry Safonov <0x7f454c46@...il.com>
Cc: Kirill Tkhai <ktkhai@...tuozzo.com>
Cc: Eric W. Biederman <ebiederm@...ssion.com>
Cc: Pavel Tikhomirov <ptikhomirov@...tuozzo.com>
Cc: Alexander Mikhalitsyn <alexander.mikhalitsyn@...tuozzo.com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
kernel/sys.c | 7 -------
1 file changed, 7 deletions(-)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1874,13 +1874,6 @@ static int validate_prctl_map(struct prc
error = -EINVAL;
/*
- * @brk should be after @end_data in traditional maps.
- */
- if (prctl_map->start_brk <= prctl_map->end_data ||
- prctl_map->brk <= prctl_map->end_data)
- goto out;
-
- /*
* Neither we should allow to override limits if they set.
*/
if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk,
Powered by blists - more mailing lists