| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230607144227.8956-1-ansuelsmth@gmail.com>
Date: Wed, 7 Jun 2023 16:42:27 +0200
From: Christian Marangi <ansuelsmth@...il.com>
To: Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>,
Eric Biederman <ebiederm@...ssion.com>,
Kees Cook <keescook@...omium.org>,
Mark Brown <broonie@...nel.org>,
Dave Martin <Dave.Martin@....com>,
Catalin Marinas <catalin.marinas@....com>,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Cc: Christian Marangi <ansuelsmth@...il.com>, stable@...r.kernel.org
Subject: [PATCH] binfmt_elf: dynamically allocate note.data in parse_elf_properties
Dynamically allocate note.data in parse_elf_properties to fix
compilation warning on some arch.
On some arch note.data exceed the stack limit for a single function and
this cause the following compilation warning:
fs/binfmt_elf.c: In function 'parse_elf_properties.isra':
fs/binfmt_elf.c:821:1: error: the frame size of 1040 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
821 | }
| ^
cc1: all warnings being treated as errors
Fix this by dynamically allocating the array.
Update the sizeof of the union to the biggest element allocated.
Fixes: 00e19ceec80b ("ELF: Add ELF program property parsing support")
Signed-off-by: Christian Marangi <ansuelsmth@...il.com>
Cc: stable@...r.kernel.org # v5.8+
---
fs/binfmt_elf.c | 36 +++++++++++++++++++++++++-----------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 44b4c42ab8e8..90daa623ca13 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -768,7 +768,7 @@ static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
{
union {
struct elf_note nhdr;
- char data[NOTE_DATA_SZ];
+ char *data;
} note;
loff_t pos;
ssize_t n;
@@ -785,29 +785,41 @@ static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
return -ENOEXEC;
/* If the properties are crazy large, that's too bad (for now): */
- if (phdr->p_filesz > sizeof(note))
+ if (phdr->p_filesz > sizeof(*note.data) * NOTE_DATA_SZ)
return -ENOEXEC;
+ note.data = kcalloc(NOTE_DATA_SZ, sizeof(*note.data), GFP_KERNEL);
+ if (!note.data)
+ return -ENOMEM;
+
pos = phdr->p_offset;
n = kernel_read(f, ¬e, phdr->p_filesz, &pos);
- BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
- if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
- return -EIO;
+ BUILD_BUG_ON(sizeof(*note.data) * NOTE_DATA_SZ < sizeof(note.nhdr) + NOTE_NAME_SZ);
+ if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ) {
+ ret = -EIO;
+ goto exit;
+ }
if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
note.nhdr.n_namesz != NOTE_NAME_SZ ||
strncmp(note.data + sizeof(note.nhdr),
- GNU_PROPERTY_TYPE_0_NAME, n - sizeof(note.nhdr)))
- return -ENOEXEC;
+ GNU_PROPERTY_TYPE_0_NAME, n - sizeof(note.nhdr))) {
+ ret = -ENOEXEC;
+ goto exit;
+ }
off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
ELF_GNU_PROPERTY_ALIGN);
- if (off > n)
- return -ENOEXEC;
+ if (off > n) {
+ ret = -ENOEXEC;
+ goto exit;
+ }
- if (note.nhdr.n_descsz > n - off)
- return -ENOEXEC;
+ if (note.nhdr.n_descsz > n - off) {
+ ret = -ENOEXEC;
+ goto exit;
+ }
datasz = off + note.nhdr.n_descsz;
have_prev_type = false;
@@ -817,6 +829,8 @@ static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
have_prev_type = true;
} while (!ret);
+exit:
+ kfree(note.data);
return ret == -ENOENT ? 0 : ret;
}
--
2.39.2
Powered by blists - more mailing lists