Re: [PATCH v2] fs/binfmt_elf: Fix AT_PHDR for unusual ELF files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Akira,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on hnaz-mm/master]
[also build test WARNING on kees/for-next/pstore linus/master v5.16-rc2 next-20211123]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Akira-Kawata/fs-binfmt_elf-Fix-AT_PHDR-for-unusual-ELF-files/20211123-153459
base:   https://github.com/hnaz/linux-mm master
config: i386-randconfig-a012-20211123 (https://download.01.org/0day-ci/archive/20211124/202111240802.Wxm5q6aP-lkp@xxxxxxxxx/config.gz)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 49e3838145dff1ec91c2e67a2cb562775c8d2a08)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/8e8533fa0fdbe61a557de9268ea7091a75aebe81
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Akira-Kawata/fs-binfmt_elf-Fix-AT_PHDR-for-unusual-ELF-files/20211123-153459
        git checkout 8e8533fa0fdbe61a557de9268ea7091a75aebe81
        # save the config file to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=i386 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>

All warnings (new ones prefixed by >>):

>> fs/binfmt_elf.c:825:16: warning: variable 'load_addr' set but not used [-Wunused-but-set-variable]
           unsigned long load_addr = 0, load_bias = 0, phdr_addr = 0;
                         ^
   1 warning generated.


vim +/load_addr +825 fs/binfmt_elf.c

   821	
   822	static int load_elf_binary(struct linux_binprm *bprm)
   823	{
   824		struct file *interpreter = NULL; /* to shut gcc up */
 > 825		unsigned long load_addr = 0, load_bias = 0, phdr_addr = 0;
   826		int load_addr_set = 0;
   827		unsigned long error;
   828		struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
   829		struct elf_phdr *elf_property_phdata = NULL;
   830		unsigned long elf_bss, elf_brk;
   831		int bss_prot = 0;
   832		int retval, i;
   833		unsigned long elf_entry;
   834		unsigned long e_entry;
   835		unsigned long interp_load_addr = 0;
   836		unsigned long start_code, end_code, start_data, end_data;
   837		unsigned long reloc_func_desc __maybe_unused = 0;
   838		int executable_stack = EXSTACK_DEFAULT;
   839		struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
   840		struct elfhdr *interp_elf_ex = NULL;
   841		struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
   842		struct mm_struct *mm;
   843		struct pt_regs *regs;
   844	
   845		retval = -ENOEXEC;
   846		/* First of all, some simple consistency checks */
   847		if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
   848			goto out;
   849	
   850		if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
   851			goto out;
   852		if (!elf_check_arch(elf_ex))
   853			goto out;
   854		if (elf_check_fdpic(elf_ex))
   855			goto out;
   856		if (!bprm->file->f_op->mmap)
   857			goto out;
   858	
   859		elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
   860		if (!elf_phdata)
   861			goto out;
   862	
   863		elf_ppnt = elf_phdata;
   864		for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
   865			char *elf_interpreter;
   866	
   867			if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
   868				elf_property_phdata = elf_ppnt;
   869				continue;
   870			}
   871	
   872			if (elf_ppnt->p_type != PT_INTERP)
   873				continue;
   874	
   875			/*
   876			 * This is the program interpreter used for shared libraries -
   877			 * for now assume that this is an a.out format binary.
   878			 */
   879			retval = -ENOEXEC;
   880			if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
   881				goto out_free_ph;
   882	
   883			retval = -ENOMEM;
   884			elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
   885			if (!elf_interpreter)
   886				goto out_free_ph;
   887	
   888			retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
   889					  elf_ppnt->p_offset);
   890			if (retval < 0)
   891				goto out_free_interp;
   892			/* make sure path is NULL terminated */
   893			retval = -ENOEXEC;
   894			if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
   895				goto out_free_interp;
   896	
   897			interpreter = open_exec(elf_interpreter);
   898			kfree(elf_interpreter);
   899			retval = PTR_ERR(interpreter);
   900			if (IS_ERR(interpreter))
   901				goto out_free_ph;
   902	
   903			/*
   904			 * If the binary is not readable then enforce mm->dumpable = 0
   905			 * regardless of the interpreter's permissions.
   906			 */
   907			would_dump(bprm, interpreter);
   908	
   909			interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
   910			if (!interp_elf_ex) {
   911				retval = -ENOMEM;
   912				goto out_free_ph;
   913			}
   914	
   915			/* Get the exec headers */
   916			retval = elf_read(interpreter, interp_elf_ex,
   917					  sizeof(*interp_elf_ex), 0);
   918			if (retval < 0)
   919				goto out_free_dentry;
   920	
   921			break;
   922	
   923	out_free_interp:
   924			kfree(elf_interpreter);
   925			goto out_free_ph;
   926		}
   927	
   928		elf_ppnt = elf_phdata;
   929		for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
   930			switch (elf_ppnt->p_type) {
   931			case PT_GNU_STACK:
   932				if (elf_ppnt->p_flags & PF_X)
   933					executable_stack = EXSTACK_ENABLE_X;
   934				else
   935					executable_stack = EXSTACK_DISABLE_X;
   936				break;
   937	
   938			case PT_LOPROC ... PT_HIPROC:
   939				retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
   940							  bprm->file, false,
   941							  &arch_state);
   942				if (retval)
   943					goto out_free_dentry;
   944				break;
   945			}
   946	
   947		/* Some simple consistency checks for the interpreter */
   948		if (interpreter) {
   949			retval = -ELIBBAD;
   950			/* Not an ELF interpreter */
   951			if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
   952				goto out_free_dentry;
   953			/* Verify the interpreter has a valid arch */
   954			if (!elf_check_arch(interp_elf_ex) ||
   955			    elf_check_fdpic(interp_elf_ex))
   956				goto out_free_dentry;
   957	
   958			/* Load the interpreter program headers */
   959			interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
   960							   interpreter);
   961			if (!interp_elf_phdata)
   962				goto out_free_dentry;
   963	
   964			/* Pass PT_LOPROC..PT_HIPROC headers to arch code */
   965			elf_property_phdata = NULL;
   966			elf_ppnt = interp_elf_phdata;
   967			for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
   968				switch (elf_ppnt->p_type) {
   969				case PT_GNU_PROPERTY:
   970					elf_property_phdata = elf_ppnt;
   971					break;
   972	
   973				case PT_LOPROC ... PT_HIPROC:
   974					retval = arch_elf_pt_proc(interp_elf_ex,
   975								  elf_ppnt, interpreter,
   976								  true, &arch_state);
   977					if (retval)
   978						goto out_free_dentry;
   979					break;
   980				}
   981		}
   982	
   983		retval = parse_elf_properties(interpreter ?: bprm->file,
   984					      elf_property_phdata, &arch_state);
   985		if (retval)
   986			goto out_free_dentry;
   987	
   988		/*
   989		 * Allow arch code to reject the ELF at this point, whilst it's
   990		 * still possible to return an error to the code that invoked
   991		 * the exec syscall.
   992		 */
   993		retval = arch_check_elf(elf_ex,
   994					!!interpreter, interp_elf_ex,
   995					&arch_state);
   996		if (retval)
   997			goto out_free_dentry;
   998	
   999		/* Flush all traces of the currently running executable */
  1000		retval = begin_new_exec(bprm);
  1001		if (retval)
  1002			goto out_free_dentry;
  1003	
  1004		/* Do this immediately, since STACK_TOP as used in setup_arg_pages
  1005		   may depend on the personality.  */
  1006		SET_PERSONALITY2(*elf_ex, &arch_state);
  1007		if (elf_read_implies_exec(*elf_ex, executable_stack))
  1008			current->personality |= READ_IMPLIES_EXEC;
  1009	
  1010		if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
  1011			current->flags |= PF_RANDOMIZE;
  1012	
  1013		setup_new_exec(bprm);
  1014	
  1015		/* Do this so that we can load the interpreter, if need be.  We will
  1016		   change some of these later */
  1017		retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
  1018					 executable_stack);
  1019		if (retval < 0)
  1020			goto out_free_dentry;
  1021		
  1022		elf_bss = 0;
  1023		elf_brk = 0;
  1024	
  1025		start_code = ~0UL;
  1026		end_code = 0;
  1027		start_data = 0;
  1028		end_data = 0;
  1029	
  1030		/* Now we do a little grungy work by mmapping the ELF image into
  1031		   the correct location in memory. */
  1032		for(i = 0, elf_ppnt = elf_phdata;
  1033		    i < elf_ex->e_phnum; i++, elf_ppnt++) {
  1034			int elf_prot, elf_flags;
  1035			unsigned long k, vaddr;
  1036			unsigned long total_size = 0;
  1037			unsigned long alignment;
  1038	
  1039			if (elf_ppnt->p_type != PT_LOAD)
  1040				continue;
  1041	
  1042			if (unlikely (elf_brk > elf_bss)) {
  1043				unsigned long nbyte;
  1044		            
  1045				/* There was a PT_LOAD segment with p_memsz > p_filesz
  1046				   before this one. Map anonymous pages, if needed,
  1047				   and clear the area.  */
  1048				retval = set_brk(elf_bss + load_bias,
  1049						 elf_brk + load_bias,
  1050						 bss_prot);
  1051				if (retval)
  1052					goto out_free_dentry;
  1053				nbyte = ELF_PAGEOFFSET(elf_bss);
  1054				if (nbyte) {
  1055					nbyte = ELF_MIN_ALIGN - nbyte;
  1056					if (nbyte > elf_brk - elf_bss)
  1057						nbyte = elf_brk - elf_bss;
  1058					if (clear_user((void __user *)elf_bss +
  1059								load_bias, nbyte)) {
  1060						/*
  1061						 * This bss-zeroing can fail if the ELF
  1062						 * file specifies odd protections. So
  1063						 * we don't check the return value
  1064						 */
  1065					}
  1066				}
  1067			}
  1068	
  1069			elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
  1070					     !!interpreter, false);
  1071	
  1072			elf_flags = MAP_PRIVATE;
  1073	
  1074			vaddr = elf_ppnt->p_vaddr;
  1075			/*
  1076			 * The first time through the loop, load_addr_set is false:
  1077			 * layout will be calculated. Once set, use MAP_FIXED since
  1078			 * we know we've already safely mapped the entire region with
  1079			 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
  1080			 */
  1081			if (load_addr_set) {
  1082				elf_flags |= MAP_FIXED;
  1083			} else if (elf_ex->e_type == ET_EXEC) {
  1084				/*
  1085				 * This logic is run once for the first LOAD Program
  1086				 * Header for ET_EXEC binaries. No special handling
  1087				 * is needed.
  1088				 */
  1089				elf_flags |= MAP_FIXED_NOREPLACE;
  1090			} else if (elf_ex->e_type == ET_DYN) {
  1091				/*
  1092				 * This logic is run once for the first LOAD Program
  1093				 * Header for ET_DYN binaries to calculate the
  1094				 * randomization (load_bias) for all the LOAD
  1095				 * Program Headers.
  1096				 *
  1097				 * There are effectively two types of ET_DYN
  1098				 * binaries: programs (i.e. PIE: ET_DYN with INTERP)
  1099				 * and loaders (ET_DYN without INTERP, since they
  1100				 * _are_ the ELF interpreter). The loaders must
  1101				 * be loaded away from programs since the program
  1102				 * may otherwise collide with the loader (especially
  1103				 * for ET_EXEC which does not have a randomized
  1104				 * position). For example to handle invocations of
  1105				 * "./ld.so someprog" to test out a new version of
  1106				 * the loader, the subsequent program that the
  1107				 * loader loads must avoid the loader itself, so
  1108				 * they cannot share the same load range. Sufficient
  1109				 * room for the brk must be allocated with the
  1110				 * loader as well, since brk must be available with
  1111				 * the loader.
  1112				 *
  1113				 * Therefore, programs are loaded offset from
  1114				 * ELF_ET_DYN_BASE and loaders are loaded into the
  1115				 * independently randomized mmap region (0 load_bias
  1116				 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
  1117				 */
  1118				if (interpreter) {
  1119					load_bias = ELF_ET_DYN_BASE;
  1120					if (current->flags & PF_RANDOMIZE)
  1121						load_bias += arch_mmap_rnd();
  1122					alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
  1123					if (alignment)
  1124						load_bias &= ~(alignment - 1);
  1125					elf_flags |= MAP_FIXED_NOREPLACE;
  1126				} else
  1127					load_bias = 0;
  1128	
  1129				/*
  1130				 * Since load_bias is used for all subsequent loading
  1131				 * calculations, we must lower it by the first vaddr
  1132				 * so that the remaining calculations based on the
  1133				 * ELF vaddrs will be correctly offset. The result
  1134				 * is then page aligned.
  1135				 */
  1136				load_bias = ELF_PAGESTART(load_bias - vaddr);
  1137			}
  1138	
  1139			/*
  1140			 * Calculate the entire size of the ELF mapping (total_size).
  1141			 * (Note that load_addr_set is set to true later once the
  1142			 * initial mapping is performed.)
  1143			 */
  1144			if (!load_addr_set) {
  1145				total_size = total_mapping_size(elf_phdata,
  1146								elf_ex->e_phnum);
  1147				if (!total_size) {
  1148					retval = -EINVAL;
  1149					goto out_free_dentry;
  1150				}
  1151			}
  1152	
  1153			error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
  1154					elf_prot, elf_flags, total_size);
  1155			if (BAD_ADDR(error)) {
  1156				retval = IS_ERR((void *)error) ?
  1157					PTR_ERR((void*)error) : -EINVAL;
  1158				goto out_free_dentry;
  1159			}
  1160	
  1161			if (!load_addr_set) {
  1162				load_addr_set = 1;
  1163				load_addr = (elf_ppnt->p_vaddr - elf_ppnt->p_offset);
  1164				if (elf_ex->e_type == ET_DYN) {
  1165					load_bias += error -
  1166					             ELF_PAGESTART(load_bias + vaddr);
  1167					load_addr += load_bias;
  1168					reloc_func_desc = load_bias;
  1169				}
  1170			}
  1171	
  1172			if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
  1173			    elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
  1174				phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
  1175					    elf_ppnt->p_vaddr;
  1176			}
  1177	
  1178			k = elf_ppnt->p_vaddr;
  1179			if ((elf_ppnt->p_flags & PF_X) && k < start_code)
  1180				start_code = k;
  1181			if (start_data < k)
  1182				start_data = k;
  1183	
  1184			/*
  1185			 * Check to see if the section's size will overflow the
  1186			 * allowed task size. Note that p_filesz must always be
  1187			 * <= p_memsz so it is only necessary to check p_memsz.
  1188			 */
  1189			if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
  1190			    elf_ppnt->p_memsz > TASK_SIZE ||
  1191			    TASK_SIZE - elf_ppnt->p_memsz < k) {
  1192				/* set_brk can never work. Avoid overflows. */
  1193				retval = -EINVAL;
  1194				goto out_free_dentry;
  1195			}
  1196	
  1197			k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
  1198	
  1199			if (k > elf_bss)
  1200				elf_bss = k;
  1201			if ((elf_ppnt->p_flags & PF_X) && end_code < k)
  1202				end_code = k;
  1203			if (end_data < k)
  1204				end_data = k;
  1205			k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
  1206			if (k > elf_brk) {
  1207				bss_prot = elf_prot;
  1208				elf_brk = k;
  1209			}
  1210		}
  1211	
  1212		e_entry = elf_ex->e_entry + load_bias;
  1213		phdr_addr += load_bias;
  1214		elf_bss += load_bias;
  1215		elf_brk += load_bias;
  1216		start_code += load_bias;
  1217		end_code += load_bias;
  1218		start_data += load_bias;
  1219		end_data += load_bias;
  1220	
  1221		/* Calling set_brk effectively mmaps the pages that we need
  1222		 * for the bss and break sections.  We must do this before
  1223		 * mapping in the interpreter, to make sure it doesn't wind
  1224		 * up getting placed where the bss needs to go.
  1225		 */
  1226		retval = set_brk(elf_bss, elf_brk, bss_prot);
  1227		if (retval)
  1228			goto out_free_dentry;
  1229		if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
  1230			retval = -EFAULT; /* Nobody gets to see this, but.. */
  1231			goto out_free_dentry;
  1232		}
  1233	
  1234		if (interpreter) {
  1235			elf_entry = load_elf_interp(interp_elf_ex,
  1236						    interpreter,
  1237						    load_bias, interp_elf_phdata,
  1238						    &arch_state);
  1239			if (!IS_ERR((void *)elf_entry)) {
  1240				/*
  1241				 * load_elf_interp() returns relocation
  1242				 * adjustment
  1243				 */
  1244				interp_load_addr = elf_entry;
  1245				elf_entry += interp_elf_ex->e_entry;
  1246			}
  1247			if (BAD_ADDR(elf_entry)) {
  1248				retval = IS_ERR((void *)elf_entry) ?
  1249						(int)elf_entry : -EINVAL;
  1250				goto out_free_dentry;
  1251			}
  1252			reloc_func_desc = interp_load_addr;
  1253	
  1254			allow_write_access(interpreter);
  1255			fput(interpreter);
  1256	
  1257			kfree(interp_elf_ex);
  1258			kfree(interp_elf_phdata);
  1259		} else {
  1260			elf_entry = e_entry;
  1261			if (BAD_ADDR(elf_entry)) {
  1262				retval = -EINVAL;
  1263				goto out_free_dentry;
  1264			}
  1265		}
  1266	
  1267		kfree(elf_phdata);
  1268	
  1269		set_binfmt(&elf_format);
  1270	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux