From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BA51E743C0 for ; Fri, 29 Sep 2023 03:24:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4951D8D0002; Thu, 28 Sep 2023 23:24:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4133E8D00E7; Thu, 28 Sep 2023 23:24:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0BAC68D0002; Thu, 28 Sep 2023 23:24:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id DC2628D00E5 for ; Thu, 28 Sep 2023 23:24:45 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id A7B3B1A02A1 for ; Fri, 29 Sep 2023 03:24:45 +0000 (UTC) X-FDA: 81288192930.14.3B2AABA Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by imf23.hostedemail.com (Postfix) with ESMTP id 97728140002 for ; Fri, 29 Sep 2023 03:24:43 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="ntBMR/lp"; spf=pass (imf23.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.182 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1695957883; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=1N2/5RenlXFMtuBqo/+f8Vcn16/Uj2Iw7MwFuqiNorY=; b=LuDKsrXW17wTlDtEr8Icq5+KUdSjy0WBpAQ/zqsUU1AMOXyZhvHvqcrf7MRqKE8kkca0Xk rskM8bxZWkY8q0/4fV436adsSAkXA6deY38s9pOWrLooStdFwEHJRRHF9L4lBH894MrQeF /E5dN+QzfBdQXI97CDyXLXWFOSNp55I= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1695957883; a=rsa-sha256; cv=none; b=TE8JoJy1lBgupzjqlwrYzww7mOr55i+32dK8bTXbrIiz3sDczXw0Wqsj5lFZOvvCOTaQfm QoprrPgNCU00cgIfHR1D2jZrub3hTvlfF65Rhy0LVgv2ZGu0B0/kFkLT4SHOwJEEG2hsZB 45lY5Hl5gPjrWbIh8nkNComZJbBnv4E= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="ntBMR/lp"; spf=pass (imf23.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.182 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-5859a7d6556so408963a12.0 for ; Thu, 28 Sep 2023 20:24:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1695957882; x=1696562682; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1N2/5RenlXFMtuBqo/+f8Vcn16/Uj2Iw7MwFuqiNorY=; b=ntBMR/lp02uGwMNPNU7KfJl07G94oa76TLF+aLe+qtKLfGBIj70zuOmFF8dWWIHBp6 XsjedNkqFCXaWSV7xOUX6Mwl9RKRaIWmurEXC2x1rtAZBcJ42d8SHbx50gKx99hxzI6I vxQQoIBpNbEcAfQsPnWTagbK/F5/aYne5uyAs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695957882; x=1696562682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1N2/5RenlXFMtuBqo/+f8Vcn16/Uj2Iw7MwFuqiNorY=; b=ZPd0a/IVjSaW2AIZg7y2dhml2os4Gy5pMsFn5gT27cjs/kTeZpWTlvX74kiyQdMOrF bf9i++ztHwXLwjeDfyB+LzYLxNOBSUPJfMy8SLQO1gL8o5WaigAtynh75eCWkgZQQVvK 92DLaey1WSl8VYyijTjESbDnk2COyXkqPPRNEH+sV2NdnT0IR9NBG2KxSa8y84L11p6Y /KOw/UETfgwuVxS7BEnZ9xKYfTNTkiq2lefFhTPhtPazSHOs8Cbd1BUnp9XXijFdYzDs bTWIrLxebz3HNkYf89+p1imibw50zcKnqegxbLXzo0b5VkSAa7ThwlW7Xx2ewGEZaqIU 0cZg== X-Gm-Message-State: AOJu0YysjMRLpU/TxOpVqMVdhNNb2N73S6/MRoSpLZZUj00D5gt4v5fq PAAnWingzLg7cza2+6wmXF+jdA== X-Google-Smtp-Source: AGHT+IFuiY5V1hPcrjWZ+wALbwRJ0bkGU805RDV1GGRAKG36PeI1WQG0N/Q94yXBG5u0guRkQHN2ew== X-Received: by 2002:a05:6a21:6d90:b0:162:d056:9f52 with SMTP id wl16-20020a056a216d9000b00162d0569f52mr2317143pzb.14.1695957882509; Thu, 28 Sep 2023 20:24:42 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id d12-20020a17090a498c00b0026b3ed37ddcsm297774pjh.32.2023.09.28.20.24.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 20:24:39 -0700 (PDT) From: Kees Cook To: Eric Biederman Cc: Kees Cook , Alexander Viro , Christian Brauner , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, Sebastian Ott , =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= , Pedro Falcato , Andrew Morton , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v4 5/6] binfmt_elf: Only report padzero() errors when PROT_WRITE Date: Thu, 28 Sep 2023 20:24:33 -0700 Message-Id: <20230929032435.2391507-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230929031716.it.155-kees@kernel.org> References: <20230929031716.it.155-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3206; i=keescook@chromium.org; h=from:subject; bh=jt1fmczJcOormxbVcL/G+gA6YgAS2bIpzH9lxZKP6J8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlFkNyRwIKy/9+p28ZJ729vcNHK8Gg7yPfE0ByN 6nvj7/qVLeJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZRZDcgAKCRCJcvTf3G3A JjvTD/0efjaJu1+PNkM8NRGdk1dsGyZJ0dd4tY+8HW5FWR8J7niOASg788NVSLqFFUmdhaHRjmO Lj56b26Bw9GOyQXHYda5l7wqDTMXm6RIMUYBjTHTuUu3K8IYicpe/vidGvDuun74TWC6gT0TcQS JBtpkVYUzN9Quzlr+hjKY4YwSAMa+50O1SYTdUGqwmckLYkIpbbwVLAo7r/VX4KL73ojipa0uZL U4Z96HcimN4eOgUTJL+Z0t4VxznrtCujhN04154vNUcC1vzmWqEyPkrIaegDJh86UloTxqH/Esa mEVSbpK9HjAWKRRsvhfOPp2btfPm3150XfvwHXXipw4qVDOWOWYhb7tHCVoYriEG/H0nn5qroT1 PIRndidx60sCNBiIR++8QGxeZhVypD2rtBlFMJYxk8hREnuCOUIUakD1s4SmYoqYAa/N6j10yfn USW7wazw7KE0x/SHGyklD7+FJFIHi/dFaGRXo6PdpXd2O8m/Fnh82Px9LxMZldJtVxrwmm2YcUb AIegTgqbd3pR1GCUvhncdf3yEUBwywr6llI4pfc2Bpc4oznxAVKNeJoY5hIrwCbXVKuO54wkBIg dP9Sl+hc6k26DlLVynWraFAeBWkU+QBlgtEZI18h+WBXWKlb9zkdhbKOcrAovas3JG4CcT3Onsb u68NsqyzQBTv3nw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-Stat-Signature: fa1jqp53iubdseawtt47braouqj4ynxx X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 97728140002 X-Rspam-User: X-HE-Tag: 1695957883-556633 X-HE-Meta: U2FsdGVkX182hv8webFYmKoWJ+BJyUANBpgH0Y7k5Qh2AQv3sbXwhD6XKbp0PIYVKIBfo/Xdg93jj61YYlY+v73V/6eYImOR0kODuPfvH3Kj9ckr0gWVfGIwqPg3bbBTeHXQa0sU64CrtcBAB6lSQaoikQITBVj9vu2Zovwf81V9e6gJH3/jb6Z5IajVAhEARheGceCeSrPrOc9eY4Q7sh9zUsxDSV1FRNbVOZAbiKFtRnUlmslp2zyaXQx1ZyP0JiXaTKaXw/HhX3CA0MaWrFFkuWpq4lXL7U57ELHi/uETp3N+RLjk+nfCVAhXPL0OYj1vMhpQc2O+sINhtZEKlHjhFc4YxAh75IjErBwcSYy75hz0eqjTtDiBkB2MlFo7/xgEKdcEBqvor7Dz6XcL/AnVSOi288ceRNNIqQQYfxQhyIW3c2+HW5BwjNpO5WayobSQoDeeaUBn+cCgPiJfO094Y3uuxunDjY17MN5zQS2y21jTUIcjZYPXVOINXWCQykkjyQ6+eqiy45xPUA7xgkwFm/qA1PC9WsgDGMk8rWoC3Rq6iafouVCADaHvbp0FavhmDn24fBE4ecC7SI8mlFbeHS4dcBJat0Gdw3xJ9J9LA/4I7DsxdAg2k1FHDXwxHzyvYbJQ/trl7jvbLFYXH2LposbNYr3CQE6otCJ4pEIsp1OplYnBbEREa3hJ9V/qOhaX8mKrA5jI0BHXfwBSGRAufKHqeJP/oTAWTHCMiYyQAO31nymEl7hTzgGbfXukGSqhGCX1Y9t1F73ZNz4VSp81sMLsQwm0wzW4IDRm9JZRM3AIlQYeNj5LYrS3GBy8yUFtjslKQReOghfYRMyWotiDfrCQl3zxn+hZGF58nH/S5jySb5mjqn/puxLa+e5IEAPkt6J/gHo36pv/ku996V3pvDoqznijEbENA5v+L48EOzxxHbKSeT9DBEtvC1Sljux12BkUSYFV2voCBw3 dYIYtHQm L4ufDBkvSll20TbjJMgkCf4jprqACPUIjAiDC3ipIoknSd8f96bun+FS3KhgHt947YguvmqSUpSVHb2FHolJsFxHXoBrOMoAsRpIcykeV0AC9B99jVfM88HC2v514gpsgQXPqU7O3JDE3Pbekk4ctCp0nFyt1EnRZLOAHljdmZcA1KP2IjuaBIGz+vodwdeTImTlTJUK0rpBl7OD/U2kPjaRzmoumaof7OltOD8qgCnGUZRiVkUhmd6D7PoyrRt3au3Mqj4eNhxMOerL/GtL92+GHo00t9oYv8+K2IZ8AqGyO311EtmaetkEPySKffXk30Tmb1XTEwLCwXoBjIKiY1rVjaPhJp4Y7SZ1xEwD33hOAerUkHFp0THenas9yiFA7+WzhXM1ay3OT3uymf/3xh3Al5O48hJFSSGUE5lxh1wyp61sERnSKEH6ISToLEkuTWjNYzwZk4Ol+OrW8IJIwiVnlRj9xWq+XUFOuBiy/7WUxIAf4yVsREJ6HLtmCj3ZfB9uyY8bj3nXbb0vQDO0KCiIqdLTc4z6jYpWTgayK+w1cUMJNz6eAfFTyhGR3p6YJjeUnwoDoAGHLkYLb4MlR5begjw8FvXkG3TDCUkzgmpyNHTIqD6BMHXd0lttCH0zDfMKwkIDAOHk7cTJu+s9mopXePJL6ZtPMs/cT3xEZvo5xBZUKT8CtQy4OduBHWtTyQXPDCBszdKCMYU7EZHbVc983ADpTsNi6tD1gLxixyFSpZ1+VL1+eefz5BzmLSkte/RuJ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Errors with padzero() should be caught unless we're expecting a pathological (non-writable) segment. Report -EFAULT only when PROT_WRITE is present. Additionally add some more documentation to padzero(), elf_map(), and elf_load(). Cc: Eric Biederman Cc: Alexander Viro Cc: Christian Brauner Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org Suggested-by: Eric Biederman Signed-off-by: Kees Cook --- fs/binfmt_elf.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index f8b4747f87ed..22027b0a5923 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -110,19 +110,19 @@ static struct linux_binfmt elf_format = { #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE)) -/* We need to explicitly zero any fractional pages - after the data section (i.e. bss). This would - contain the junk from the file that should not - be in memory +/* + * We need to explicitly zero any trailing portion of the page that follows + * p_filesz when it ends before the page ends (e.g. bss), otherwise this + * memory will contain the junk from the file that should not be present. */ -static int padzero(unsigned long elf_bss) +static int padzero(unsigned long address) { unsigned long nbyte; - nbyte = ELF_PAGEOFFSET(elf_bss); + nbyte = ELF_PAGEOFFSET(address); if (nbyte) { nbyte = ELF_MIN_ALIGN - nbyte; - if (clear_user((void __user *) elf_bss, nbyte)) + if (clear_user((void __user *)address, nbyte)) return -EFAULT; } return 0; @@ -348,6 +348,11 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, return 0; } +/* + * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset" + * into memory at "addr". (Note that p_filesz is rounded up to the + * next page, so any extra bytes from the file must be wiped.) + */ static unsigned long elf_map(struct file *filep, unsigned long addr, const struct elf_phdr *eppnt, int prot, int type, unsigned long total_size) @@ -387,6 +392,11 @@ static unsigned long elf_map(struct file *filep, unsigned long addr, return(map_addr); } +/* + * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset" + * into memory at "addr". Memory from "p_filesz" through "p_memsz" + * rounded up to the next page is zeroed. + */ static unsigned long elf_load(struct file *filep, unsigned long addr, const struct elf_phdr *eppnt, int prot, int type, unsigned long total_size) @@ -404,8 +414,12 @@ static unsigned long elf_load(struct file *filep, unsigned long addr, zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) + eppnt->p_memsz; - /* Zero the end of the last mapped page */ - padzero(zero_start); + /* + * Zero the end of the last mapped page but ignore + * any errors if the segment isn't writable. + */ + if (padzero(zero_start) && (prot & PROT_WRITE)) + return -EFAULT; } } else { map_addr = zero_start = ELF_PAGESTART(addr); -- 2.34.1