From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49675C25B75 for ; Sun, 26 May 2024 09:42:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D2F126B0083; Sun, 26 May 2024 05:42:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CDFF16B0088; Sun, 26 May 2024 05:42:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BA7356B008C; Sun, 26 May 2024 05:42:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 9ABEA6B0083 for ; Sun, 26 May 2024 05:42:46 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 4D0041202BF for ; Sun, 26 May 2024 09:42:46 +0000 (UTC) X-FDA: 82160057532.12.843038D Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf18.hostedemail.com (Postfix) with ESMTP id 7FF1F1C0021 for ; Sun, 26 May 2024 09:42:44 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=dNci+3RL; spf=pass (imf18.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716716564; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=352LmnSBMkQVNFhzL75k+s9Ob5KXFLRxFIY+DNquD+k=; b=RVHPTq0ExF/XyFedfVBOsYQHedYt9Dg/i+IoejHq4kBccKHoVpI0r8FxUHn+osbdFZs7QY WOzFWWXbuDbB+5m6zJ8IWLd3x0oqIgIEuliQHzuStbpimWhCmeMqmN5AM18KyUvyPHYHtX XDwf8wTRrV16FI9pv7IMabyJyzHV8OY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716716564; a=rsa-sha256; cv=none; b=sclo+BdUsmhzIsrrHNzTsrre+GwrUFfOdGRFbNITtbKIrAp4eRhNSFGwsFv9PTfIZXq92G zUmudJP165Qw3DZq+d6CZpcdluSvqkFpCq4sno+quSJxJPLxvx/xDgX2RHjeRVgb5tRCOf 8geUdS3ZzMdSL2Z/EdoEyIPIZ4P7I90= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=dNci+3RL; spf=pass (imf18.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 993DE6027F; Sun, 26 May 2024 09:42:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2C90DC2BD10; Sun, 26 May 2024 09:42:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1716716563; bh=OQ+fq/qWEXzONvHCfi5eHyNulhHelfhdcuRZeYfz8DA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dNci+3RLyY5TnTxwNbvpQ5Tg9yrcPvkWrdCcT2pivBbxgE7/f/Pq+UCBh3Oqegu92 xWFuyH2PNEYDZvcYbhK4ve7XBZoZh2ZzfL41btkpqzEjh2uIlEgcpY22gKmSMBBYQx NSMnvOd5ZHem4+N4vCb83o1PqzfDyZXTWIjWvIt4ivvme8ym+YFuCvQHtEACiZjB4c rriwyDqTpCgV5dsbp/+VtuKuAJ51PAKC0U3zBr2ZTIW+ayeu303nvQ4TwQF1G58VS4 EuZbfvpHKnowmOm9rxy6etGS09BTBWFAxZnjJIV9KuwSqGsZ5im/OUBDlVje90mPbs UKw4TTdZdO2cg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , y0un9n132@gmail.com, Sasha Levin , viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 6.8 12/14] binfmt_elf: Leave a gap between .bss and brk Date: Sun, 26 May 2024 05:42:17 -0400 Message-ID: <20240526094224.3412675-12-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240526094224.3412675-1-sashal@kernel.org> References: <20240526094224.3412675-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.8.10 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 7FF1F1C0021 X-Rspam-User: X-Stat-Signature: zjjr9wb49dzsc17ejztdqesfnqfjg7c5 X-HE-Tag: 1716716564-75131 X-HE-Meta: U2FsdGVkX18hnw7SXg3eQclnf60aJEbTfsZ/oAt1a3NpLeRUiCHP+xmDmfM/w1FhEH0OnWmGLWos0CdADUMHKZxguvMw5EYPsHo2FYAFDCAyEB4RkbBmP2Mslvgz2QTau1GBI4mEN4kUfYW8XUtI9GBEA6QvbbT1GvCtkadZ0d2GX2upEdDMHK1x5DALBCryElCNpm2htT5RFEXuXMG/yam3a7lccEXAVbU6FGELjJDupd6t11Qc+KIL2l2IPZHpab8C/gxk9sCoT1pHKjMSL+hZKMmSJrFtf23sqUAgCm1b/RlWQdUGIY3OEoY0pFjFWGuwLZ6sHszGb6WgTrsxkQcTTIZZoyqB/XO/QPbmz6ganEgyFSqwOqH+kGQAcG3JyHfvUGNP86C/0pdxmSkLo/y5qjItMdyJZ1kicJsDiOwlsGS3YszyyAKob6HZwsprRM900I7+gansby5jJ2lUfAHN8mzSQVWWQqjfeNIyDdVqw6MJLvQGczR/GQmeFmUdurJ/nyc1B4GMq0lptGT7SVCHAY5Uyt39kuRAeIBnrCxkyo+a9hLJ6WMJwbXzY1Pb3STkvFRcy71In9xSCk3TQbXtCzoq9UbUJwu0CDpLcyDhmhoz3zspTRiv2xklcBTXgFtD2TjrTFBKpjMd1BP8tKKyM8Gym1mDRgyGHAxURpeAzpmgBrOHc8s2j1jz7IyH50gUKKLotgAo5a3x8x7HJ6wk8J3cWWzTeoqgRtxBKLucjmNtXeFKPgtzohm4zs1XmX+FPWrmDjlQTpDxFz2cnamDrfMZ5ygPGjJ6dmfjXktmiYw9Te1nWr+ylkiTGwQS67m6BdDHp1Esu/ck4UJTdOCc6xzR5IfSsm3Ekl4XZmXC18vTfeNt2yv7OoVD526GlvwrbifOwhvI74d6Hq6UOipY5cMUNlL0ICJhGO66pGmbGbTjbyevLnRqaX282IvGdu96f7L5P4HeNLttZYP tsk2blIl FQ/o15QcFMCKe6m7aFYibJdmhGpW2rx3rMrQn0yk/zQOuDGdsKOM22RlbxR6iUJzqDc0U3PSBh8eiPQR6KaEdHo+hA+8nRXwHxzBNmTCjiflC7WwYFJzOWKrZTS4T5rk41OPeYT/V3jei3LWDYl096GgrHJrhLVvGzXmo/25wVDhImVCqLSHqOru/+zrYn0zkbWSTmmx2ZCwW0kGBp34lJGWt4zTU9qrcqZzuHVVEgQ6McGY6lYpsyOBqnE34gFlz1wtopgqxRENVlahltkPQybilLJVMSyqs2YsT95GnSuEof/57lhnC23jZ0/XkuanXxCA3dxhC23o/z46BLhJcXs9NskEiE+pW/XgGmEeoUgv9Ig84s20gBhMQ+w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Kees Cook [ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ] Currently the brk starts its randomization immediately after .bss, which means there is a chance that when the random offset is 0, linear overflows from .bss can reach into the brk area. Leave at least a single page gap between .bss and brk (when it has not already been explicitly relocated into the mmap range). Reported-by: Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/binfmt_elf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5397b552fbeb5..7862962f7a859 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm) if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && elf_ex->e_type == ET_DYN && !interpreter) { mm->brk = mm->start_brk = ELF_ET_DYN_BASE; + } else { + /* Otherwise leave a gap between .bss and brk. */ + mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; } mm->brk = mm->start_brk = arch_randomize_brk(mm); -- 2.43.0