On Fri, Jul 8, 2016 at 5:48 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > A double-bug exists in the bss calculation code, where an overflow can > happen in the "last_bss - elf_bss" calculation, but vm_brk internally > aligns the argument, underflowing it, wrapping back around safe. We > shouldn't depend on these bugs staying in sync, so this cleans up the bss > padding handling to avoid the overflow. > > This moves the bss padzero() before the last_bss > elf_bss case, since > the zero-filling of the ELF_PAGE should have nothing to do with the > relationship of last_bss and elf_bss: any trailing portion should be > zeroed, and a zero size is already handled by padzero(). > > Then it handles the math on elf_bss vs last_bss correctly. These need > to both be ELF_PAGE aligned to get the comparison correct, since that's > the expected granularity of the mappings. Since elf_bss already had > alignment-based padding happen in padzero(), the "start" of the new > vm_brk() should be moved forward as done in the original code. However, > since the "end" of the vm_brk() area will already become PAGE_ALIGNed in > vm_brk() then last_bss should get aligned here to avoid hiding it as a > side-effect. > > Additionally makes a cosmetic change to the initial last_bss calculation > so it's easier to read in comparison to the load_addr calculation above it > (i.e. the only difference is p_filesz vs p_memsz). > > Reported-by: Hector Marco-Gisbert <hecmargi@xxxxxx> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Andrew or Al, can you pick this up for -next? It doesn't depend on the do_brk() fix (patch 2/2)... -Kees > --- > fs/binfmt_elf.c | 34 ++++++++++++++++++---------------- > 1 file changed, 18 insertions(+), 16 deletions(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index e158b22ef32f..fe948933bcc5 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -605,28 +605,30 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, > * Do the same thing for the memory mapping - between > * elf_bss and last_bss is the bss section. > */ > - k = load_addr + eppnt->p_memsz + eppnt->p_vaddr; > + k = load_addr + eppnt->p_vaddr + eppnt->p_memsz; > if (k > last_bss) > last_bss = k; > } > } > > + /* > + * Now fill out the bss section: first pad the last page from > + * the file up to the page boundary, and zero it from elf_bss > + * up to the end of the page. > + */ > + if (padzero(elf_bss)) { > + error = -EFAULT; > + goto out; > + } > + /* > + * Next, align both the file and mem bss up to the page size, > + * since this is where elf_bss was just zeroed up to, and where > + * last_bss will end after the vm_brk() below. > + */ > + elf_bss = ELF_PAGEALIGN(elf_bss); > + last_bss = ELF_PAGEALIGN(last_bss); > + /* Finally, if there is still more bss to allocate, do it. */ > if (last_bss > elf_bss) { > - /* > - * Now fill out the bss section. First pad the last page up > - * to the page boundary, and then perform a mmap to make sure > - * that there are zero-mapped pages up to and including the > - * last bss page. > - */ > - if (padzero(elf_bss)) { > - error = -EFAULT; > - goto out; > - } > - > - /* What we have mapped so far */ > - elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1); > - > - /* Map the last of the bss segment */ > error = vm_brk(elf_bss, last_bss - elf_bss); > if (error) > goto out; > -- > 2.7.4 > -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>