lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202402270911.961702D7D6@keescook>
Date: Tue, 27 Feb 2024 09:22:35 -0800
From: Kees Cook <keescook@...omium.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Jan Bujak <j@...a.io>, Pedro Falcato <pedro.falcato@...il.com>,
	linux-mm@...ck.org, linux-kernel@...r.kernel.org,
	viro@...iv.linux.org.uk, brauner@...nel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: Recent-ish changes in binfmt_elf made my program segfault

On Tue, Feb 27, 2024 at 09:35:39AM -0600, Eric W. Biederman wrote:
> Kees Cook <keescook@...omium.org> writes:
> 
> > On Tue, Jan 23, 2024 at 12:23:27AM +0900, Jan Bujak wrote:
> >> On 1/22/24 23:54, Pedro Falcato wrote:
> >> > Hi!
> >> > 
> >> > Where did you get that linker script?
> >> > 
> >> > FWIW, I catched this possible issue in review, and this was already
> >> > discussed (see my email and Eric's reply):
> >> > https://lore.kernel.org/all/CAKbZUD3E2if8Sncy+M2YKncc_Zh08-86W6U5wR0ZMazShxbHHA@mail.gmail.com/
> >> > 
> >> > This was my original testcase
> >> > (https://github.com/heatd/elf-bug-questionmark), which convinced the
> >> > loader to map .data over a cleared .bss. Your bug seems similar, but
> >> > does the inverse: maps .bss over .data.
> >> > 
> >> 
> >> I wrote the linker script myself from scratch.
> >
> > Do you still need this addressed, or have you been able to adjust the
> > linker script? (I ask to try to assess the priority of needing to fix
> > this behavior change...)
> 
> Kees, I haven't had a chance to test this yet but it occurred to me
> that there is an easy way to handle this.  In our in-memory copy
> of the elf program headers we can just merge the two segments
> together.
> 
> I believe the diff below accomplishes that, and should fix issue.
> 
> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 5397b552fbeb..01df7dd1f3b4 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -924,6 +926,31 @@ static int load_elf_binary(struct linux_binprm *bprm)
>  	elf_ppnt = elf_phdata;
>  	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
>  		switch (elf_ppnt->p_type) {
> +		case PT_LOAD:
> +		{
> +			/*
> +			 * Historically linux ignored all but the
> +			 * final .bss segment.  Now that linux honors
> +			 * all .bss segments, a .bss segment that
> +			 * logically is not overlapping but is
> +			 * overlapping when it's edges are rounded up
> +			 * to page size causes programs to fail.
> +			 *
> +			 * Handle that case by merging .bss segments
> +			 * into the segment they follow.
> +			 */
> +			if (((i + 1) >= elf_ex->e_phnum) ||
> +			    (elf_ppnt[1].p_type != PT_LOAD) ||
> +			    (elf_ppnt[1].p_filesz != 0))
> +				continue;
> +			unsigned long end =
> +				elf_ppnt[0].p_vaddr + elf_ppnt[0].p_memsz;
> +			if (elf_ppnt[1].p_vaddr != end)
> +				continue;
> +			elf_ppnt[0].p_memsz += elf_ppnt[1].p_memsz;
> +			elf_ppnt[1].p_type = PT_NULL;
> +			break;
> +		}
>  		case PT_GNU_STACK:
>  			if (elf_ppnt->p_flags & PF_X)
>  				executable_stack = EXSTACK_ENABLE_X;

I don't think this is safe -- it isn't looking at flags, etc. e.g.,
something like this could break:

  Type  Offset   VirtAddr  PhysAddr  FileSiz  MemSiz   Flg Align
  LOAD  0x003000 0x12000   0x12000   0x001000 0x001000 R E 0x1000
  LOAD  0x004000 0x13000   0x13000   0x000000 0x001000 RW  0x1000

Hmm

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ