From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C66EC52D1D for ; Thu, 1 Aug 2024 00:25:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A40F06B00A3; Wed, 31 Jul 2024 20:25:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9EEBD6B00A7; Wed, 31 Jul 2024 20:25:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8B6BF6B00BE; Wed, 31 Jul 2024 20:25:23 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 6BA5F6B00A3 for ; Wed, 31 Jul 2024 20:25:23 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 265C6A514A for ; Thu, 1 Aug 2024 00:25:23 +0000 (UTC) X-FDA: 82401782526.27.255C9DA Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf07.hostedemail.com (Postfix) with ESMTP id 00F9B40002 for ; Thu, 1 Aug 2024 00:25:20 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=JfKNGj+b; spf=pass (imf07.hostedemail.com: domain of sashal@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722471864; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Io92VQPQSTA+A8vDwDW6J+XPemhTVDVFbxjJ26m/1f8=; b=AoV1AxSd6x7Etr+k2Wnv6x3/NQM49Pv3bRTFDifaY/krtR4rp5qgGYBKl9hbAQEqvKWaCl ezh5LwIh84e0h9zQI5ZUx1e7sdD76Wv+a8WgpkojC0yYaZlhUTEuDdNIhu8V+AyLlCLIbx ZQfKM7rbwF4s/SvctewjBS6sVa3CMGs= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722471864; a=rsa-sha256; cv=none; b=GOz1PZZ104EYidAG1swRJEiyuSUhEsWER1JTiY23tuDYajch22kErKHTlrQTO1Q43u5KZf LdOQuPtqTGJpA0oUV+fo3+QNOvUb2Swx/nzooiHYKaKOWkJiDZPVkAJMK9zAI4q63lezqo RxdPCb56VVWYvrsZxS00GStgqGAF2rg= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=JfKNGj+b; spf=pass (imf07.hostedemail.com: domain of sashal@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 9B138CE1874; Thu, 1 Aug 2024 00:25:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BD19AC116B1; Thu, 1 Aug 2024 00:25:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1722471916; bh=O1yR9stRS8iMyzwtJL17TgK1ZYQhO0o0ncQ6OPTKSHQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JfKNGj+b1lcONxPatz470BjPtI1pOsJPU378C4rzFzPiJ3lXXxXaYiAb9rdw1UTxZ d/txvw9NCdkFxukqSQMalQjDDDhNI1yWzkQUFQW55uGSsfOzPDTOqteUS/YUND0m2+ Sdlxwx4FLCZJuWYncqrk69d92KD1Rf49SvgbnIYaUvlENuMEWJSHTRttT0nmUGDgKT Jhc4BlWYhGJn1ZArYK2y3ByF28I06AITtWZZtEGHVUGZStox+XVG29mU27OJVZbQNL kygvSPkZ5+sK3ax5QuGQny55NMfyzDIQNtaeLhiEOaHgUsPrtJNUlVBMb4UeCz3ABB MhAofoiMcdVwA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Alexey Dobriyan , Kees Cook , Sasha Levin , viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 6.6 61/83] ELF: fix kernel.randomize_va_space double read Date: Wed, 31 Jul 2024 20:18:16 -0400 Message-ID: <20240801002107.3934037-61-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240801002107.3934037-1-sashal@kernel.org> References: <20240801002107.3934037-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.43 Content-Transfer-Encoding: 8bit X-Stat-Signature: 7oqm15987sw7dca74o659umzj6cq5dfg X-Rspamd-Queue-Id: 00F9B40002 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1722471920-734675 X-HE-Meta: U2FsdGVkX1+FxMbQStG+b81SvMJ4JpP74/yS1hqK6DN68JNRdDtFM6sCrmVieVQdnLIQ8LicQ66XcUS/MOtJf+CAdrxYa1ddi4jEa4tRFPxohxbmlqnCA2b5oZJ9O1xxqdGlDb3GpDbu/j+oFx4PdsVP387Rh7hyoO7Y29m36In50yZ/j4VkYZECkyzecR8wM/McJNQinK/yhs+QwyUHR673dyYSiU+xApf+fsBewzrn9qx1Nkr+AB0LLaeNBwxkssXwfxKfRWo6folY9UwHVYP7qUZBxKcwErB3Qx/kDLQIfuiC3xBN+uxy45ZfMpq2vevkl3TVcj8ganS/gXq26JpdYtTkRJgyNS7u4fM2lMZBtSTdWMg2ayEbi2N/Vv6mdbTpouttiE8XnRaLUckXDZ7cqsiZpEIPcjItjpqQu41l705rNUmjerd4XlNLzXYuMHSHlchivVkP22xnb5OxH87zs4FNs+8X03tvygEAeo6kcgdi3NxJWEItcDHBxvfxxpoZVKkYcFHc2wErwTBGEvuEfrDyIBPfRMLRmA7mplFYPq30tXOc/adBKyZRWVCBWtF9xT7ZcUnITwrvqMSBP+LrJIT/GEW9FhVMPMPa9uuR+Bcl0EQ/s7nq3bUNhEFRLDKCKxbeQ8sO03EL+r1Y5aYbhq6f6q2MgvfbqtJQZIcNyEf0kXc0ykIf/H5XOiwZsikWVcy5sui/0hr1N4R+7BNmViZrEA+sbC6bqtOTpzD+d6lnSxwZsSInI93k4QQKXljrbVgB8TnC/wFnIlfT79vdpjbFSjClfA2VCewsDQTwqYUTwX7m8ef0PsfdDZd+4AmGf/lfskpk1PS49IZjVJ1QLqyQteZCisT+jOgPsRo/evtkWRiBqkyis92T397d/ZwQnLLEOJT8XINTg9alNlpNYFRYN6VtJTZrbZvnPS9lkh7zOlix1SJcmYNJl+F9XuPXj9ENsOAAajxJfTV nM098ZzX qS5X3lx0GyL4WrYT40kUj/L2wPB/THy+Oiq/m2gzuw+48Ep7ja0jBr+87MzATWnsRcL27rRN46GZMQugjV5Vq39PsE2UChshW1VEVzO9iv+wOsK3u24G1T3vBDcaffY9AyTbRuafKTS8ur5eKXAmgg802tkMqOh+JMuaBC2EGuIBsYJTULgzwIy3yC30BN/kIuiNlPEwP3o6ibe14psm/1FhKTkZaqjn0VOa7SGVClEwVKVFtjc9LlfstjVpEZwsj9Rqz8M7uXzOmJeF1PFiH3rqPRlVJc7XGdXN+fpttqgJQVKs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Alexey Dobriyan [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 7b3d2d4914073..fb2c8d14327ae 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1008,7 +1008,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1300,7 +1301,7 @@ static int load_elf_binary(struct linux_binprm *bprm) mm->end_data = end_data; mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.43.0