tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'execve-v6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull execve fix from Kees Cook:
"This fixes a corner case for ASLR-disabled static-PIE brk collision
with vdso allocations:

- binfmt_elf: Move brk for static PIE even if ASLR disabled"

* tag 'execve-v6.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
binfmt_elf: Move brk for static PIE even if ASLR disabled

Linus Torvalds 1a80a098 00f281fd

+47 -24
+47 -24
fs/binfmt_elf.c
··· 830 830 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; 831 831 struct elf_phdr *elf_property_phdata = NULL; 832 832 unsigned long elf_brk; 833 + bool brk_moved = false; 833 834 int retval, i; 834 835 unsigned long elf_entry; 835 836 unsigned long e_entry; ··· 1098 1097 /* Calculate any requested alignment. */ 1099 1098 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum); 1100 1099 1101 - /* 1102 - * There are effectively two types of ET_DYN 1103 - * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP) 1104 - * and loaders (ET_DYN without PT_INTERP, since they 1105 - * _are_ the ELF interpreter). The loaders must 1106 - * be loaded away from programs since the program 1107 - * may otherwise collide with the loader (especially 1108 - * for ET_EXEC which does not have a randomized 1109 - * position). For example to handle invocations of 1100 + /** 1101 + * DOC: PIE handling 1102 + * 1103 + * There are effectively two types of ET_DYN ELF 1104 + * binaries: programs (i.e. PIE: ET_DYN with 1105 + * PT_INTERP) and loaders (i.e. static PIE: ET_DYN 1106 + * without PT_INTERP, usually the ELF interpreter 1107 + * itself). Loaders must be loaded away from programs 1108 + * since the program may otherwise collide with the 1109 + * loader (especially for ET_EXEC which does not have 1110 + * a randomized position). 1111 + * 1112 + * For example, to handle invocations of 1110 1113 * "./ld.so someprog" to test out a new version of 1111 1114 * the loader, the subsequent program that the 1112 1115 * loader loads must avoid the loader itself, so ··· 1123 1118 * ELF_ET_DYN_BASE and loaders are loaded into the 1124 1119 * independently randomized mmap region (0 load_bias 1125 1120 * without MAP_FIXED nor MAP_FIXED_NOREPLACE). 1121 + * 1122 + * See below for "brk" handling details, which is 1123 + * also affected by program vs loader and ASLR. 1126 1124 */ 1127 1125 if (interpreter) { 1128 1126 /* On ET_DYN with PT_INTERP, we do the ASLR. */ ··· 1242 1234 start_data += load_bias; 1243 1235 end_data += load_bias; 1244 1236 1245 - current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk); 1246 - 1247 1237 if (interpreter) { 1248 1238 elf_entry = load_elf_interp(interp_elf_ex, 1249 1239 interpreter, ··· 1297 1291 mm->end_data = end_data; 1298 1292 mm->start_stack = bprm->p; 1299 1293 1300 - if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { 1294 + /** 1295 + * DOC: "brk" handling 1296 + * 1297 + * For architectures with ELF randomization, when executing a 1298 + * loader directly (i.e. static PIE: ET_DYN without PT_INTERP), 1299 + * move the brk area out of the mmap region and into the unused 1300 + * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide 1301 + * early with the stack growing down or other regions being put 1302 + * into the mmap region by the kernel (e.g. vdso). 1303 + * 1304 + * In the CONFIG_COMPAT_BRK case, though, everything is turned 1305 + * off because we're not allowed to move the brk at all. 1306 + */ 1307 + if (!IS_ENABLED(CONFIG_COMPAT_BRK) && 1308 + IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && 1309 + elf_ex->e_type == ET_DYN && !interpreter) { 1310 + elf_brk = ELF_ET_DYN_BASE; 1311 + /* This counts as moving the brk, so let brk(2) know. */ 1312 + brk_moved = true; 1313 + } 1314 + mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk); 1315 + 1316 + if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) { 1301 1317 /* 1302 - * For architectures with ELF randomization, when executing 1303 - * a loader directly (i.e. no interpreter listed in ELF 1304 - * headers), move the brk area out of the mmap region 1305 - * (since it grows up, and may collide early with the stack 1306 - * growing down), and into the unused ELF_ET_DYN_BASE region. 1318 + * If we didn't move the brk to ELF_ET_DYN_BASE (above), 1319 + * leave a gap between .bss and brk. 1307 1320 */ 1308 - if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && 1309 - elf_ex->e_type == ET_DYN && !interpreter) { 1310 - mm->brk = mm->start_brk = ELF_ET_DYN_BASE; 1311 - } else { 1312 - /* Otherwise leave a gap between .bss and brk. */ 1321 + if (!brk_moved) 1313 1322 mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; 1314 - } 1315 1323 1316 1324 mm->brk = mm->start_brk = arch_randomize_brk(mm); 1325 + brk_moved = true; 1326 + } 1327 + 1317 1328 #ifdef compat_brk_randomized 1329 + if (brk_moved) 1318 1330 current->brk_randomized = 1; 1319 1331 #endif 1320 - } 1321 1332 1322 1333 if (current->personality & MMAP_PAGE_ZERO) { 1323 1334 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,