From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27160C25B7C for ; Sun, 26 May 2024 09:42:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6787E6B0085; Sun, 26 May 2024 05:42:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 628436B0089; Sun, 26 May 2024 05:42:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4F00B6B008C; Sun, 26 May 2024 05:42:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 314C96B0085 for ; Sun, 26 May 2024 05:42:15 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id C7B15C0F1D for ; Sun, 26 May 2024 09:42:14 +0000 (UTC) X-FDA: 82160056188.30.9E28F14 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf27.hostedemail.com (Postfix) with ESMTP id 1465340007 for ; Sun, 26 May 2024 09:42:12 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ZyiIzPDD; spf=pass (imf27.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716716533; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=352LmnSBMkQVNFhzL75k+s9Ob5KXFLRxFIY+DNquD+k=; b=oydTaF0eOqcY/SrRhNTbXDAZ6J+/Y0yWSlhG85PI0IMFH3xl2BT0ScY6tL63FAtsqC939i WKufoNW89BiCEh+Nkntrccedv34UEMSrE8pY/jRx36D4hUrWHiSwOwdGPnHYOnjQugEf+b vpslhFHRDXTZY3hzejZWr7UoDg6OsUE= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ZyiIzPDD; spf=pass (imf27.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716716533; a=rsa-sha256; cv=none; b=QmOeNIyrH2vfJXGUpeVZItaUO5PSpU4HFhhNNsXh9pwDm/05G/DQkpl7t4PjZtJOZmMKPE dakO54ILvJSIVXiXe1aeOQ4kUam+WeFBu+ia9OTTQU8q31CJ6aeHA5swGX6+0b3jppcpIo TjA8XsN/A9mXXZnZoWM2Z1+NgijfqkA= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id F209E6065C; Sun, 26 May 2024 09:42:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AAE27C32781; Sun, 26 May 2024 09:42:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1716716531; bh=OQ+fq/qWEXzONvHCfi5eHyNulhHelfhdcuRZeYfz8DA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZyiIzPDDsTGz8jRFgYVCd8PtAL85Ywt244irg6bdyodQlFbHKBQ84PKRpcMvJDBM5 VGe6eSVwYNDSeaY5q5nDwUb4GZ3B23dr9j0Saejy5GKMIn4uXHj6M/dLih2F9FLKJN aAMCFCh0MsTwNWcE3pz2rLAgOUUReuLnahbU++Hs4qIPe9fcuIsdnPxKD+YeoypaQQ wfKqSXu79h66zGuv0gv07Xx+s2rXmAnFg6MedPf9mzM4LuHqzmV1rsIfp7vCvcTbOe j81KeM4C7y1tsZv46vZDq46jygicUY/8rkO0lLEXOSJWLfJWCpEhVAojHPdtNol++k 68FWqzAe1JOsw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , y0un9n132@gmail.com, Sasha Levin , viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk Date: Sun, 26 May 2024 05:41:44 -0400 Message-ID: <20240526094152.3412316-12-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240526094152.3412316-1-sashal@kernel.org> References: <20240526094152.3412316-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.9.1 Content-Transfer-Encoding: 8bit X-Stat-Signature: pacarerueou6umjjrpggbb1j6aym7hpc X-Rspamd-Queue-Id: 1465340007 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1716716532-61681 X-HE-Meta: U2FsdGVkX1+VdhFQ5cRXSC7VgnSQREWzp69ELZccWyptDNeW8Uec9FTo4zigwjmulTQdo849Ewf1euNasBftO9LzqAS9gPFxWd7eQ2vVOrQ1mRXoHc32o8V7jQMTWYAyfOBygMX0lqNghXNu2JBZFhrnmEeQG8a3aqHPMpc9I1h74u8zPpmTod1FQ1ZCqSw5Fnh8Bzghw0vhciOHieP82940Ufcqj73I3R/UILfTv4r4vpn0vXhKxn5D89uwexah8Y+VHGefDLBmb5fNWSFLw4fXZRwonJpankVZmjlrv6oKcHqMwH2QvsNzRbYkhIEQVrWZJB7Ml7UgdQSYZkTv5z8R+sCG7CJ3sEBDL2nGqLPCLEOewfdfmlW+CWzaNzjHf/5uNcEDMjPugllzlkYsu3gLcescN/AJM5inMR7QW+FGjVrWXv0JbTCpylOcEjyA5jhKF/2w7ZFSUekZEJRFTnnLQGvfu57C/kF3XICKYQe3LEsltlQt+a+CNsYFrwoHMqpZa2VU+D9kd0rzrn7ncVmHt5UHIgltrdufBXYyTiMIYvNLOZ0dtFpioqJlmpqAKkCmFhiJg0Z9DyLxBEbivs/DF/98vInj48vlilvyFgk6UjBmZw0uryVOz7IFyhnh24maXI24wAv2qvwOPXMsGFmWg4Z6A1wehPoM2F2KVfMNaB5SRJ6pWUh8r4ZD+m37Rse516jAMRha1kBn5GnE5ZNCxAjqgj0lDYetWANhibkpIhAuxAbPyvGR89VQqs/9vkkqj89y+Q2WbZLKo7AoGSeyNBlU93H9rsLC730jT0QIK5m/ynsieNZA0gN69NtUOq6sFHKq0X/+qHKsiRJ6cQ6rgQSUqXtFU1wX0Buyjqxb1RgVORZMF5Wl5KYqF/+oFELrklCS9a+Vv+VdV/Cl8i49nzXApYGFNGmrq9MpMG7OdfNWq0xktAOwlF+ujXo+I/zaBwY2b1hlgR/CftH wmo7kzR/ 4qRzAQgbVz9lzEtz8I6Py4xXXUtep5IFH5KOejIZn+N0VnxQrVlJFvxuLyHHpvyUrQGplVl/AKYIeRpw8/wC4ZDMegqaeQQtctH4yJUouqR0AxFL15d0Fe6QWw1zF4RoQstmWZ1O2zzZI1tf749WT/VL1Hn9qHb6My0cSuaP90XLP82x/kAiW3X35OzsP+IZiBcyDvwSQP6n5xQX0aAlUKV2xafGrxnTRKTHWiRT1AF2x8jFlscz+KXWeioUnnYCy0h/jnTRamKbdXObVll9cUTexCmR2w+SdgCNvcVEoSDxdFzAS2EPuYJ7YY7PmD4sxXkjYHQCOUnZb6vCwGkMChtF80J5amJWiId5huwsGYRwD0Pqy6+B1WLWy9Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Kees Cook [ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ] Currently the brk starts its randomization immediately after .bss, which means there is a chance that when the random offset is 0, linear overflows from .bss can reach into the brk area. Leave at least a single page gap between .bss and brk (when it has not already been explicitly relocated into the mmap range). Reported-by: Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/binfmt_elf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5397b552fbeb5..7862962f7a859 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm) if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && elf_ex->e_type == ET_DYN && !interpreter) { mm->brk = mm->start_brk = ELF_ET_DYN_BASE; + } else { + /* Otherwise leave a gap between .bss and brk. */ + mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; } mm->brk = mm->start_brk = arch_randomize_brk(mm); -- 2.43.0