From nobody Fri Feb 13 11:00:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1396EE80A82 for ; Wed, 27 Sep 2023 04:49:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229611AbjI0Etk (ORCPT ); Wed, 27 Sep 2023 00:49:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbjI0Esw (ORCPT ); Wed, 27 Sep 2023 00:48:52 -0400 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56B443AB1 for ; Tue, 26 Sep 2023 20:42:25 -0700 (PDT) Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-692b2bdfce9so7550219b3a.3 for ; Tue, 26 Sep 2023 20:42:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1695786145; x=1696390945; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=psNe55NiIGmm2xWNk7Y7WSenoVYReQWIa41A35qkMTo=; b=DMgt7E8zbjdDxpmCg9lVKkaaMN5PJ8SCsJBHXx4/bPe0fcnr4RiVcettQb2AyiHLJt WRYfU4rkd/G3iLCuExCN+SdDhRs6JghrEnjQNd6OpCYRqQr8S4xGdKG/Uyo1piDLPEN4 IKGkUT2o5cda7EDvkdd5tYH44m2IAQYre1fi8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695786145; x=1696390945; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=psNe55NiIGmm2xWNk7Y7WSenoVYReQWIa41A35qkMTo=; b=jZdqvXQ3S5EJNIm/xwqSGVVLRlYrA3ThBJT68bjNwNdSeM0V+rM1nbEiZ/o24XJ86x eyL65yLsVW2aWQ+Vy1GWQJZPbpD/plHGyv5a576etxUpZ9g5d/E5qgIEt/0vIH5qH2qD 9id+zKIYpeZ5pX3DPnPqWttBf6cjfrpCpryV0LHJAm/G72ap5wMKZysezo2sl5gLj1RL OhGJOqaRiBtQMIqjlCGF/MhVtrLh4+IM3pjxgmPaYoPQtMuUDxgp7h+kOXlrvf7WxJel YxP/bDYXLxQkh7ZF85zlJCjjmGdn3oLhYQ4JX7Pzhf8basKJclFAGxh97pCTiS/cQnII 810A== X-Gm-Message-State: AOJu0YzmmEETKaOn7u8m6GB+lQcugeHYIFT6k6Aku8CMWxxwlHoCOSSM 9e8BYCGgnwvrmr4Ro4Vhp99Q/g== X-Google-Smtp-Source: AGHT+IH5EAvrsjyvsdjMBX+hRb48/9Odz2jhGyduyLfeui8bYT0jgwoq8H4vxWQ8plZNKiKb1c39bg== X-Received: by 2002:a05:6a00:1745:b0:690:3b59:cc7a with SMTP id j5-20020a056a00174500b006903b59cc7amr1223964pfc.23.1695786144630; Tue, 26 Sep 2023 20:42:24 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id l21-20020a62be15000000b0068fe5a5a566sm11050779pff.142.2023.09.26.20.42.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 20:42:24 -0700 (PDT) From: Kees Cook To: Eric Biederman Cc: Kees Cook , Alexander Viro , Christian Brauner , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, Pedro Falcato , Sebastian Ott , =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 4/4] binfmt_elf: Use elf_load() for interpreter Date: Tue, 26 Sep 2023 20:42:21 -0700 Message-Id: <20230927034223.986157-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230927033634.make.602-kees@kernel.org> References: <20230927033634.make.602-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2946; i=keescook@chromium.org; h=from:subject; bh=ESjAlwugvTKH54m807EA0V7P1zfqWIUst+9ebRisI1g=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlE6SdTC81Lo/IK1HXDqbNXd8+1ZQdNAkLqgYld ib+qt6Vsy+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZROknQAKCRCJcvTf3G3A JtadEACKjgl6qtJqAh0AMdgrhwl3xNt5d2qNuR5potUxETk/BXU7u2GTXYtP2F9RDpOrkDiKZgs kHaZ+K0S58tXoM1EESrVf9DgwoH2Yiu3a5Wnx/9cSLQ39gLchJc9iacJBevN5PWRNSQGhPINVHD ppnkc1dc2MgRLHRWccbGhLJoWY9ypb0+DB2+c326VYEE9A6ZcH0XF2mBBGZWXFdJf5FqvPjjP7d 3aH1zRNKNI0RS4QKXR0yRxvLTkQu1CHaVV2EUyc2z8A2QyuQlLPUE/1Sndgz+rJf4zaBAGoUu15 xtdsaw1/9QllvwqXSugoOkXpIIDx4n8QOYsgxRkRVM1a+KkJy54IQyjYj7yhw+IlJhX1NVUKiwd 5TyNEMzi/OHgIlQ0Zx61x8PDB9FHITdRrPmmhjgmSMl5lVf/iutiyYsdRdW/udNxhJwecomGd+V FPKrzpAU5XCcgfQavEm4SC012nzVWQXMKBChSTYtRcchUfBI8yKMx0vBF3AUzEGnUxkenFTBZCX 501e3882lR4jnNHar/3lok+SU91dFINJ79VHpEjsURQH5gylPvdbtX+i1nqijpI8fY16XKQPVsO A9WZlk3iYIvwmclIZazzIknfX61fR/qhvIhhre1iOr1xSWFFYOOhAzzXr+/bT6hmLGWrqrb36DM i6jNABcOoxu5qhA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Handle arbitrary memsz>filesz in interpreter ELF segments, instead of only supporting it in the last segment (which is expected to be the BSS). Cc: Eric Biederman Cc: Alexander Viro Cc: Christian Brauner Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org Reported-by: Pedro Falcato Closes: https://lore.kernel.org/lkml/20221106021657.1145519-1-pedro.falcato= @gmail.com/ Signed-off-by: Kees Cook --- fs/binfmt_elf.c | 46 +--------------------------------------------- 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index b939cfe3215c..74af5c8319a0 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -635,8 +635,6 @@ static unsigned long load_elf_interp(struct elfhdr *int= erp_elf_ex, struct elf_phdr *eppnt; unsigned long load_addr =3D 0; int load_addr_set =3D 0; - unsigned long last_bss =3D 0, elf_bss =3D 0; - int bss_prot =3D 0; unsigned long error =3D ~0UL; unsigned long total_size; int i; @@ -673,7 +671,7 @@ static unsigned long load_elf_interp(struct elfhdr *int= erp_elf_ex, else if (no_base && interp_elf_ex->e_type =3D=3D ET_DYN) load_addr =3D -vaddr; =20 - map_addr =3D elf_map(interpreter, load_addr + vaddr, + map_addr =3D elf_load(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type, total_size); total_size =3D 0; error =3D map_addr; @@ -699,51 +697,9 @@ static unsigned long load_elf_interp(struct elfhdr *in= terp_elf_ex, error =3D -ENOMEM; goto out; } - - /* - * Find the end of the file mapping for this phdr, and - * keep track of the largest address we see for this. - */ - k =3D load_addr + eppnt->p_vaddr + eppnt->p_filesz; - if (k > elf_bss) - elf_bss =3D k; - - /* - * Do the same thing for the memory mapping - between - * elf_bss and last_bss is the bss section. - */ - k =3D load_addr + eppnt->p_vaddr + eppnt->p_memsz; - if (k > last_bss) { - last_bss =3D k; - bss_prot =3D elf_prot; - } } } =20 - /* - * Now fill out the bss section: first pad the last page from - * the file up to the page boundary, and zero it from elf_bss - * up to the end of the page. - */ - if (padzero(elf_bss, bss_prot)) { - error =3D -EFAULT; - goto out; - } - /* - * Next, align both the file and mem bss up to the page size, - * since this is where elf_bss was just zeroed up to, and where - * last_bss will end after the vm_brk_flags() below. - */ - elf_bss =3D ELF_PAGEALIGN(elf_bss); - last_bss =3D ELF_PAGEALIGN(last_bss); - /* Finally, if there is still more bss to allocate, do it. */ - if (last_bss > elf_bss) { - error =3D vm_brk_flags(elf_bss, last_bss - elf_bss, - bss_prot & PROT_EXEC ? VM_EXEC : 0); - if (error) - goto out; - } - error =3D load_addr; out: return error; --=20 2.34.1