From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B758C3DA7F for ; Thu, 1 Aug 2024 00:30:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9CE026B00BF; Wed, 31 Jul 2024 20:30:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9571C6B00C0; Wed, 31 Jul 2024 20:30:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 81EF96B00C2; Wed, 31 Jul 2024 20:30:55 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 63D316B00BF for ; Wed, 31 Jul 2024 20:30:55 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 0F9D4807F0 for ; Thu, 1 Aug 2024 00:30:55 +0000 (UTC) X-FDA: 82401796470.01.9BD5030 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf02.hostedemail.com (Postfix) with ESMTP id 48C848000F for ; Thu, 1 Aug 2024 00:30:53 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ggsp67TP; spf=pass (imf02.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722472209; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+QcF8V6Uv+WzV4KgS7GmazztKN3Co5uDrQqEBSzRgok=; b=72xRdqNhDfHRQHPMevv4VKA2X2JKOQAR++otU3aPH6Mwq7k0VMe2R5MJMTFm4ZOd3Ah+IL 5MCXZcr+8Wrx1e470WoeB669dUnR3kzAeYPwSJOmDZ1xEzjpH9+2pBG8U74HSSIPKw56dz lEuGzyjk04sQrOOPRJt8FNYexRONcNE= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ggsp67TP; spf=pass (imf02.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722472209; a=rsa-sha256; cv=none; b=CYtoHapmb+zs1NAW5j2BOtxyshnR0TU0+rZ0c/+9xKXuh9PsUxyfwGr1IBlJUpf2Q1fnPh WIHaN4po8SpHHa44c6Ml30u9dE7tPV0/fnPUxGvISpZKdQQ9Gtd1kseyIv6E+eSlmbCtWe fmxSCCA4BGJZRH8wN/qC1Ad3bii1+ng= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 60AAE6173B; Thu, 1 Aug 2024 00:30:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBD4CC116B1; Thu, 1 Aug 2024 00:30:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1722472252; bh=xVj/RY1YK9ba+1fx93zIYgA7qPfIsnUqCCfTuW7IxnE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ggsp67TPim5bzdXev8fE3H/cO9+92LaGQORbgSo26i3TOr1FYFuOqcFoBRUHuvxHw He9sFoESZyBzjJJb1yR4cJ4Fx/tFldYXqx2agb8ovm9g54pAv38AMCoIuU67PfmP4j FYYnLVF1UzV47xU67f45N+J//igJwROck9gZ++LPD9uyX6edyEZldBoLbVyHEQtwDb tPRy9RrHXNSiS6xRnEFMAsT+/308f3yoyRIumk1XsV5kXUCmak3myCFs7tv07QMdkP SwJsaucfn4sfVfEhTTQlx9v5t501ismlQazsI3OrzrECNkyyw41ZsLa/OwCU8qMpHR +b3Y56nRlKbKQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Alexey Dobriyan , Kees Cook , Sasha Levin , viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 6.1 44/61] ELF: fix kernel.randomize_va_space double read Date: Wed, 31 Jul 2024 20:26:02 -0400 Message-ID: <20240801002803.3935985-44-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240801002803.3935985-1-sashal@kernel.org> References: <20240801002803.3935985-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.1.102 Content-Transfer-Encoding: 8bit X-Stat-Signature: boxoawi6mr5apxfx4dowg3mcja9ghh4b X-Rspam-User: X-Rspamd-Queue-Id: 48C848000F X-Rspamd-Server: rspam02 X-HE-Tag: 1722472253-391098 X-HE-Meta: U2FsdGVkX1/lbd+ABP/8erClEWW8tvl1OS9Wv9L3fIw18AG5KY1DDJG57ZsaKWmfHBLus8xnxVBQgJ6wSV8aBfZZcdUrD8rp1cHTJrCF7HGB+HwABuvpAZb2xEFVnUatSA8/awk0R8dkMZPMJdMBcDeEJMwuIWIXPaFfEKisVTrMcboXP5l7oT636zlX30+RpRBFM9R2hBsfUsf3ODU8osrIawitXzafrMy/ik2Tny6UxU/VFPlgc8HLl7q5GBgtRS43WYPcOfMJsKOQYSQig6vqwNbeBmJnze+X7fCi7H96VcDwEqTNY8EAQiG5qdA5Aa2ouC8AQmSegtuKahLgXvNmaeMoeZEpDfjc/gox4LGbCNQ+DXJCVZOuPaxFR+orFuY5BxmSVZGRzc5/RBxXjjABc8fQhY09o2QM1Jd27+iKHn36m5zw9idDqZyXDsL6/Gb2MUnqSo+UI23OgSCgOMejYc/40gRp0EOZJvICwvUPXXGM7qpwb9/Rz94MaLMI+FE/JeI+55ijh5afOY2qNZ+Bha43jOAAvAxAr0AtdJGgjJuBslw5sWmR6O0hj+9VMT//Gkmi3oKSVvEYRs0ekj2hJuUU8X2BXBsnPYPKKYhj46UBTbGyO/WKPI+r7BS2dlRe/+7HwKLckd47h0t2HNRUDc8PoPmDii7OLWZ4l3Dn7AKmdPxx/MODh5Z8KfEnYja26yF1mcyhbgmBYhq1/tDMusKYCLGboRkCud72vP8V87aF4NG2WZqolSMtRv10tfCboWdu4XdGFn1m3XMGQXWXQKi20mbwTtgTuhOzK1mOV45fV9L5uWATAGqaALqYwqkoEJ6XddsLs75g6ij0BAZThBRaJ07ZfdKjzUVWxFmoVnMVB5ESQzY0TXOPGJj4DsTaci13vhmeynRZsi0I4jVBXkUjOW0zP4DRq8xDgKAiNEYcgYrFoFQJCc5fRLSX2XDHKCDayPzAhqgqXgs 0QErIQcB GVc1Jc3ohgB40oWINgdGiLFRQZ0z1JdQRedxdiNQtPgkHJNwZjEr9RAKmdjdv4mG5to2wJmizzdL1AxJCIcFW/2Mxwo0QpcTMdMVuBA/Gv4E3UBKp3TtnxSBwuMws14XXuSVbuqEqceepgQVRTQ98r1t/8Ew4C5YZvJv5Sxpga6Wsk/152uxysIKdijZA/cQcoRg6lHJktD74OGuOoBoBVgKSP1fpK1bMTMcoxPBFjWxh4Rz3/py4769PlJRXSZE/4K+FnN3cCAuMGlzxh1lMloGd/tdpVSFRRHfet3sUjbbRjz3STC/2TybYaA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Alexey Dobriyan [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index e6c9c0e084486..89e7e4826efce 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1009,7 +1009,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1301,7 +1302,7 @@ static int load_elf_binary(struct linux_binprm *bprm) mm->end_data = end_data; mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.43.0