lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87v869pqr9.fsf@email.froward.int.ebiederm.org>
Date: Tue, 27 Feb 2024 14:59:54 -0600
From: "Eric W. Biederman" <ebiederm@...ssion.com>
To: Kees Cook <keescook@...omium.org>
Cc: Jan Bujak <j@...a.io>,  Pedro Falcato <pedro.falcato@...il.com>,
  linux-mm@...ck.org,  linux-kernel@...r.kernel.org,
  viro@...iv.linux.org.uk,  brauner@...nel.org,
  linux-fsdevel@...r.kernel.org
Subject: Re: Recent-ish changes in binfmt_elf made my program segfault

Kees Cook <keescook@...omium.org> writes:

> On Tue, Feb 27, 2024 at 09:35:39AM -0600, Eric W. Biederman wrote:
>> Kees Cook <keescook@...omium.org> writes:
>> 
>> > On Tue, Jan 23, 2024 at 12:23:27AM +0900, Jan Bujak wrote:
>> >> On 1/22/24 23:54, Pedro Falcato wrote:
>> >> > Hi!
>> >> > 
>> >> > Where did you get that linker script?
>> >> > 
>> >> > FWIW, I catched this possible issue in review, and this was already
>> >> > discussed (see my email and Eric's reply):
>> >> > https://lore.kernel.org/all/CAKbZUD3E2if8Sncy+M2YKncc_Zh08-86W6U5wR0ZMazShxbHHA@mail.gmail.com/
>> >> > 
>> >> > This was my original testcase
>> >> > (https://github.com/heatd/elf-bug-questionmark), which convinced the
>> >> > loader to map .data over a cleared .bss. Your bug seems similar, but
>> >> > does the inverse: maps .bss over .data.
>> >> > 
>> >> 
>> >> I wrote the linker script myself from scratch.
>> >
>> > Do you still need this addressed, or have you been able to adjust the
>> > linker script? (I ask to try to assess the priority of needing to fix
>> > this behavior change...)
>> 
>> Kees, I haven't had a chance to test this yet but it occurred to me
>> that there is an easy way to handle this.  In our in-memory copy
>> of the elf program headers we can just merge the two segments
>> together.
>> 
>> I believe the diff below accomplishes that, and should fix issue.
>> 
>> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
>> 
>> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
>> index 5397b552fbeb..01df7dd1f3b4 100644
>> --- a/fs/binfmt_elf.c
>> +++ b/fs/binfmt_elf.c
>> @@ -924,6 +926,31 @@ static int load_elf_binary(struct linux_binprm *bprm)
>>  	elf_ppnt = elf_phdata;
>>  	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
>>  		switch (elf_ppnt->p_type) {
>> +		case PT_LOAD:
>> +		{
>> +			/*
>> +			 * Historically linux ignored all but the
>> +			 * final .bss segment.  Now that linux honors
>> +			 * all .bss segments, a .bss segment that
>> +			 * logically is not overlapping but is
>> +			 * overlapping when it's edges are rounded up
>> +			 * to page size causes programs to fail.
>> +			 *
>> +			 * Handle that case by merging .bss segments
>> +			 * into the segment they follow.
>> +			 */
>> +			if (((i + 1) >= elf_ex->e_phnum) ||
>> +			    (elf_ppnt[1].p_type != PT_LOAD) ||
>> +			    (elf_ppnt[1].p_filesz != 0))
>> +				continue;
>> +			unsigned long end =
>> +				elf_ppnt[0].p_vaddr + elf_ppnt[0].p_memsz;
>> +			if (elf_ppnt[1].p_vaddr != end)
>> +				continue;
>> +			elf_ppnt[0].p_memsz += elf_ppnt[1].p_memsz;
>> +			elf_ppnt[1].p_type = PT_NULL;
>> +			break;
>> +		}
>>  		case PT_GNU_STACK:
>>  			if (elf_ppnt->p_flags & PF_X)
>>  				executable_stack = EXSTACK_ENABLE_X;
>
> I don't think this is safe -- it isn't looking at flags, etc. e.g.,
> something like this could break:
>
>   Type  Offset   VirtAddr  PhysAddr  FileSiz  MemSiz   Flg Align
>   LOAD  0x003000 0x12000   0x12000   0x001000 0x001000 R E 0x1000
>   LOAD  0x004000 0x13000   0x13000   0x000000 0x001000 RW  0x1000

Yes.  I think it should be modified to only do something is the break
is not on a page boundary (which will automatically limit it's effect
to where we need to do something for backwards compatibility).

Still with a few tweaks and testing I think that is a good path forward
for dealing with the ``regression'' case.

Eric


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ