| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YV8qp6J+HW0ciLVP@localhost.localdomain> Date: Thu, 7 Oct 2021 20:13:11 +0300 From: Alexey Dobriyan <adobriyan@...il.com> To: Andrew Morton <akpm@...ux-foundation.org> Cc: linux-kernel@...r.kernel.org, Kees Cook <keescook@...omium.org> Subject: Re: [PATCH] ELF: fix overflow in total mapping size calculation On Tue, Oct 05, 2021 at 05:21:29PM -0700, Andrew Morton wrote: > On Sun, 3 Oct 2021 15:11:24 +0300 Alexey Dobriyan <adobriyan@...il.com> wrote: > > > Kernel assumes that ELF program headers are ordered by mapping address, > > but doesn't enforce it. It is possible to make mapping size extremely huge > > by simply shuffling first and last PT_LOAD segments. > > > > As long as PT_LOAD segments do not overlap, it is silly to require > > sorting by v_addr anyway because mmap() doesn't care. > > > > Don't assume PT_LOAD segments are sorted and calculate min and max > > addresses correctly. > > It sounds good, but why do I have the feeling this will explode in some > unexpected fashion? Because it's elf, and that's what it does :( Good news, it is ELF, we'll hear about breakage immediately. :^) Kernel "enforces" PT_LOAD ordering: if total mapping size overflows, then mmap will reject it. I hope every ELF binary maintains ordering. But! total_mapping_size() only looks at first and the last PT_LOAD segments which is obviously incorrect.
Powered by blists - more mailing lists