Re: [PATCH RFC] binfmt_elf: fully allocate bss pages

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Sebastian Ott <sebott@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Thomas Weißschuh" <linux@weissschuh.net>,
	"Alexander Viro" <viro@zeniv.linux.org.uk>,
	"Christian Brauner" <brauner@kernel.org>,
	"Kees Cook" <keescook@chromium.org>,
	"Mark Brown" <broonie@kernel.org>, "Willy Tarreau" <w@1wt.eu>,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH RFC] binfmt_elf: fully allocate bss pages
Date: Mon, 25 Sep 2023 11:20:51 +0200 (CEST)	[thread overview]
Message-ID: <37d3392c-cf33-20a6-b5c9-8b3fb8142658@redhat.com> (raw)
In-Reply-To: <87zg1bm5xo.fsf@email.froward.int.ebiederm.org>

On Sun, 24 Sep 2023, Eric W. Biederman wrote:
> Sebastian Ott <sebott@redhat.com> writes:
>
>> Hej,
>>
>> since we figured that the proposed patch is not going to work I've spent a
>> couple more hours looking at this (some static binaries on arm64 segfault
>> during load [0]). The segfault happens because of a failed clear_user()
>> call in load_elf_binary(). The address we try to write zeros to is mapped with
>> correct permissions.
>>
>> After some experiments I've noticed that writing to anonymous mappings work
>> fine and all the error cases happend on file backed VMAs. Debugging showed that
>> in elf_map() we call vm_mmap() with a file offset of 15 pages - for a binary
>> that's less than 1KiB in size.
>>
>> Looking at the ELF headers again that 15 pages offset originates from the offset
>> of the 2nd segment - so, I guess the loader did as instructed and that binary is
>> just too nasty?
>>
>> Program Headers:
>>   Type           Offset             VirtAddr           PhysAddr
>>                  FileSiz            MemSiz              Flags  Align
>>   LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000
>>                  0x0000000000000178 0x0000000000000178  R E    0x10000
>>   LOAD           0x000000000000ffe8 0x000000000041ffe8 0x000000000041ffe8
>>                  0x0000000000000000 0x0000000000000008  RW     0x10000
>>   NOTE           0x0000000000000120 0x0000000000400120 0x0000000000400120
>>                  0x0000000000000024 0x0000000000000024  R      0x4
>>   GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
>>                  0x0000000000000000 0x0000000000000000  RW     0x10
>>
>> As an additional test I've added a bunch of zeros at the end of that binary
>> so that the offset is within that file and it did load just fine.
>>
>> On the other hand there is this section header:
>>   [ 4] .bss              NOBITS           000000000041ffe8  0000ffe8
>>        0000000000000008  0000000000000000  WA       0     0     1
>>
>> "sh_offset
>> This member's value gives the byte offset from the beginning of the file to
>> the first byte in the section. One section type, SHT_NOBITS described
>> below, occupies no space in the file, and its sh_offset member locates
>> the conceptual placement in the file.
>> "
>>
>> So, still not sure what to do here..
>>
>> Sebastian
>>
>> [0] https://lore.kernel.org/lkml/5d49767a-fbdc-fbe7-5fb2-d99ece3168cb@redhat.com/
>
> I think that .bss section that is being generated is atrocious.
>
> At the same time I looked at what the linux elf loader is trying to do,
> and the elf loader's handling of program segments with memsz > filesz
> has serious remnants a.out of programs allocating memory with the brk
> syscall.
>
> Lots of the structure looks like it started with the assumption that
> there would only be a single program header with memsz > filesz the way
> and that was the .bss.   The way things were in the a.out days and
> handling of other cases has been debugged in later.
>
> So I have modified elf_map to always return successfully when there is
> a zero filesz in the program header for an elf segment.
>
> Then I have factored out a function clear_tail that ensures the zero
> padding for an entire elf segment is present.
>
> Please test this and see if it causes your test case to work.

Sadly, that causes issues for other programs:

[   44.164596] Run /init as init process
[   44.168763] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[   44.176409] CPU: 32 PID: 1 Comm: init Not tainted 6.6.0-rc2+ #89
[   44.182404] Hardware name: GIGABYTE R181-T92-00/MT91-FS4-00, BIOS F34 08/13/2020
[   44.189786] Call trace:
[   44.192220]  dump_backtrace+0xa4/0x130
[   44.195961]  show_stack+0x20/0x38
[   44.199264]  dump_stack_lvl+0x48/0x60
[   44.202917]  dump_stack+0x18/0x28
[   44.206219]  panic+0x2e0/0x350
[   44.209264]  do_exit+0x370/0x390
[   44.212481]  do_group_exit+0x3c/0xa0
[   44.216044]  get_signal+0x800/0x808
[   44.219521]  do_signal+0xfc/0x200
[   44.222824]  do_notify_resume+0xc8/0x418
[   44.226734]  el0_da+0x114/0x120
[   44.229866]  el0t_64_sync_handler+0xb8/0x130
[   44.234124]  el0t_64_sync+0x194/0x198
[   44.237776] SMP: stopping secondary CPUs
[   44.241740] Kernel Offset: disabled
[   44.245215] CPU features: 0x03000000,14028142,10004203
[   44.250342] Memory Limit: none
[   44.253383] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---

next prev parent reply	other threads:[~2023-09-25  9:21 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-14 15:59 Thomas Weißschuh
2023-09-14 19:49 ` Eric W. Biederman
2023-09-14 22:18   ` Thomas Weißschuh
2023-09-15 19:35 ` Sebastian Ott
2023-09-15 22:15 ` Pedro Falcato
2023-09-15 22:41   ` Thomas Weißschuh
2023-09-18 14:11 ` kernel test robot
2023-09-21 10:36 ` Sebastian Ott
2023-09-25  0:50   ` Eric W. Biederman
2023-09-25  9:20     ` Sebastian Ott [this message]
2023-09-25  9:50       ` Eric W. Biederman
2023-09-25 12:59       ` [PATCH] binfmt_elf: Support segments with 0 filesz and misaligned starts Eric W. Biederman
2023-09-25 15:27         ` Sebastian Ott
2023-09-25 17:06           ` Kees Cook
2023-09-26  3:27             ` Eric W. Biederman
2023-09-27  2:34               ` Kees Cook
2023-09-26 13:49         ` Dan Carpenter
2023-09-26 14:42           ` [PATCH v2] " Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=37d3392c-cf33-20a6-b5c9-8b3fb8142658@redhat.com \
    --to=sebott@redhat.com \
    --cc=brauner@kernel.org \
    --cc=broonie@kernel.org \
    --cc=ebiederm@xmission.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux@weissschuh.net \
    --cc=stable@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox