From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9DAD3C25B7C for ; Sun, 26 May 2024 09:43:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2D0416B0089; Sun, 26 May 2024 05:43:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 280386B009B; Sun, 26 May 2024 05:43:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 170006B009C; Sun, 26 May 2024 05:43:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id ED1AB6B0089 for ; Sun, 26 May 2024 05:43:56 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id A4F79C0180 for ; Sun, 26 May 2024 09:43:56 +0000 (UTC) X-FDA: 82160060472.20.26A9A69 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf03.hostedemail.com (Postfix) with ESMTP id 7A90920005 for ; Sun, 26 May 2024 09:43:54 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=HoACqVRC; spf=pass (imf03.hostedemail.com: domain of sashal@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716716635; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Mij+c8uQL6MMd1sfIKolYyiXQfP0eeDHd0VG9zQ4D7o=; b=52Ev7zHodgJOd2OSwrBzVWpFvdt2ca/OW9q0iga2uqXm94TzrREiQtTaisc1aYq3/WK31i s9H7bYYXKC6F3WVxFiJYtNWxOBNsmBVreUg7n4TjPjXSNDhUWwDAxMKDXqIsPdSdTGakbr ncZvohN9HP3uhXUASDXRLOaMGbf+REo= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=HoACqVRC; spf=pass (imf03.hostedemail.com: domain of sashal@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716716635; a=rsa-sha256; cv=none; b=Hwbi4FXYLA9CpPzrF9UKoxmuenBMK+fy5ShHQi91xX8da6ASGS3Vt22avkSCmQU/++T0lU 6AYsNZWWuQf3Pd7b2Hz7Be4YgajRx3ym+wqwLuGpbOMVBLYyvSJBccKuhjmgw0fllyGHjS Dp06XZd/nv01x7RZRpHL6fk7B0QvzU4= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id DE660CE0B00; Sun, 26 May 2024 09:43:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1AC85C2BD10; Sun, 26 May 2024 09:43:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1716716630; bh=+yvYSvUyie0rL8Tnq4/NAG7bAUWD64OtXUT4XqJCH2U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HoACqVRCE0xRvyVKNs0ekxGuKjJrDXjbw9sq3KgnI5d8XQKs56BI38ORU+NiHeTZ3 whn9soUwbTLpMgPryc9r8BeVp6mN1Bd0ecY/1xZOgHrU4K/MJSKaXexptHBvbDGjl4 Y6Adwrnc/PmryT4Z1R9+NBY0OqpNCJ7M2OqWORP80345ALaR0BE+zbbYuKW7aPlRri cX2BSiLwSZAZpXkmqysV6Lbj7ROTx3f6h+x1OktKNg9bb84+OSoeuid99evrJzNe5g 7zj0sXGKToks+oHeKIy5dr9cGoEiqev/b4IZh+kqT/mqvlECjFQ+8zFyEVol4xg3NZ QjUSwwG1yNfZA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , y0un9n132@gmail.com, Sasha Levin , viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 5.10 4/5] binfmt_elf: Leave a gap between .bss and brk Date: Sun, 26 May 2024 05:43:40 -0400 Message-ID: <20240526094342.3413841-4-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240526094342.3413841-1-sashal@kernel.org> References: <20240526094342.3413841-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 5.10.217 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 7A90920005 X-Stat-Signature: dk99mss1zd1zkotfp9oibhhy5i4rry83 X-Rspam-User: X-HE-Tag: 1716716634-586023 X-HE-Meta: U2FsdGVkX1/9ffbTHehIF8PGHAySR0PaaEnPB9wce/kDO1a2XxioZc9sdn1K74SKqiNCzFG6qdC30/RYOaC6T1UWaTm+T1jLf6L3ZjO67CTLAJIQUM339mfNCH/iXLcpeUzJrapLzvepbJH4uFvJtGYoK1KN25lF/ThV+Uijz/+zZTROaFlEzeYt7qQ5ggsH+Mk2hBxQp03R+bxtvP4SNSYlgG38nnaY+FADIzOZeXP8XBMSJuRTiAxIOdTPmjBiFGAVs9WfEF3qQfTo208jiC9OYe2tvpduBk4fNdwOoYZsWc1SdiQMUeXT62uCkt2jODVfkJzEzJ9coT/DyrErHpXu8em19wc82k0QMn5jMbTgzydwmMlHgXz/K+JChlEQHHvwdUwbrOzGbzZ01qWpSXaorY+IQG2iPSV6W60GHjDQxXiDqeb1hyHHlfbUuweCxWMlhlwruMNKv5oWULAy9Y5BA0dmF0vXXgNtasJIWG/qY0q1zzOrxWVnuS6jHaHerj/Z/n4bJLiy1+XoSw/Cux1iMwdZQHXgeLpuu8WxxMcpMYSf+S7/xpfodxTFKN2L2tJwSaemGLJXYCKhC1Zty18E7eKigUkNUD4fG1tfANi2V1WopgfGxcOm8NQ0WVzfWMAinq+DAWp3mHDOqp9kn7hQmd8BsgTqwAWfkF94b81XeO+6ArbAGJOSTEwdvo8cHhRxt4ZlodQhl7ttGUh09IgwxUPrEmC0F7J+/bIIOIrHQH3valZQBU7RWg63VTg+IHMRsnrWQU2ib9Qjs5G4q9yj+t848ksSodgw9UWt/0ul0vZaMBxek+2A3WIrX0eBZdbDynDiLAJ3lT7tC6krdEXzZaJ8fRdBmnxRoTgASrWInVy4AGQ1TKH6Lr4Air3rokvexL+gcKrUEn9rW56fT2fBjDAY0hq7F86hsyHb8WrHGDMUiJKmftSgPrSg1tju7ednPRaPBb1XJefyi+x duTQjE3N SRR+xJJVowTtjZHLyZVBrrKUWtpHhM1sXQEge57hpWbvSVwq16f4eZ184Fs/VDedxxQDdHI9cFdMlw8VgAuDdCg3lOYW3bYZUu7UyLUUKkoTA/9qfmN0NArmvc80ZyvAM3fkr/rSV8YH4hYb/gqFitiuWkQKYveDqmQgPeDDRtOrJHjh1z1IsNRflLSkYw2RDhr5oO9hpih+2gbVtUhp9Jp0Kr097a22nuNlJqUmfwytONnqXgsF0dknJc2UbA/kajrtXC1PTB2D+iQEDhz1JymqzptkltIywqaZ99EeSLJFNa8QYnh7nr7H2XL2S7r5J/ph4HWAtWVSXf6svGjYSbpesQXdGECejI8A/S7+2XucJ1qg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Kees Cook [ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ] Currently the brk starts its randomization immediately after .bss, which means there is a chance that when the random offset is 0, linear overflows from .bss can reach into the brk area. Leave at least a single page gap between .bss and brk (when it has not already been explicitly relocated into the mmap range). Reported-by: Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/binfmt_elf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index ccc4c6d8a578f..d5f9ad0651ea5 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1286,6 +1286,9 @@ static int load_elf_binary(struct linux_binprm *bprm) if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && elf_ex->e_type == ET_DYN && !interpreter) { mm->brk = mm->start_brk = ELF_ET_DYN_BASE; + } else { + /* Otherwise leave a gap between .bss and brk. */ + mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; } mm->brk = mm->start_brk = arch_randomize_brk(mm); -- 2.43.0