| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202110041255.83A6616D9@keescook>
Date: Mon, 4 Oct 2021 13:00:07 -0700
From: Kees Cook <keescook@...omium.org>
To: Chen Jingwen <chenjingwen6@...wei.com>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Alexander Viro <viro@...iv.linux.org.uk>,
Michal Hocko <mhocko@...e.com>,
Andrei Vagin <avagin@...nvz.org>,
Khalid Aziz <khalid.aziz@...cle.com>,
Michael Ellerman <mpe@...erman.id.au>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter
mappings
On Tue, Sep 28, 2021 at 08:56:57PM +0800, Chen Jingwen wrote:
> In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings")
> we still leave MAP_FIXED_NOREPLACE in place for load_elf_interp.
> Unfortunately, this will cause kernel to fail to start with
>
> [ 2.384321] 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
> [ 2.386240] Failed to execute /init (error -17)
>
I guess you mean "init" fails to start (but yes, same result).
> The reason is that the elf interpreter (ld.so) has overlapping segments.
Ewww. What toolchain generated this (and what caused it to just start
happening)? (This was added in v4.17; it's been 3 years.)
>
> readelf -l ld-2.31.so
> Program Headers:
> Type Offset VirtAddr PhysAddr
> FileSiz MemSiz Flags Align
> LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
> 0x000000000002c94c 0x000000000002c94c R E 0x10000
> LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
> 0x00000000000021e8 0x0000000000002320 RW 0x10000
> LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
> 0x00000000000011ac 0x0000000000001328 RW 0x10000
>
> The reason for this problem is the same as described in
> commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
> Not only executable binaries, elf interpreters (e.g. ld.so) can have
> overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
> back to MAP_FIXED in load_elf_interp.
We could also just expand the logic that fixed[1] this for ELF, yes?
Andrew, are you able to pick up [1], BTW? It seems to have fallen
through the cracks.
[1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u
>
> Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
> Cc: <stable@...r.kernel.org> # v4.19
> Signed-off-by: Chen Jingwen <chenjingwen6@...wei.com>
> ---
> fs/binfmt_elf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 69d900a8473d..a813b70f594e 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -630,7 +630,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
>
> vaddr = eppnt->p_vaddr;
> if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
> - elf_type |= MAP_FIXED_NOREPLACE;
> + elf_type |= MAP_FIXED;
> else if (no_base && interp_elf_ex->e_type == ET_DYN)
> load_addr = -vaddr;
--
Kees Cook
Powered by blists - more mailing lists