From: Ryan Roberts <ryan.roberts@arm.com>
To: Kees Cook <kees@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Ali Saidi <alisaidi@amazon.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] binfmt_elf: Move brk for static PIE even if ASLR disabled
Date: Tue, 13 May 2025 10:19:40 +0100 [thread overview]
Message-ID: <56655ac1-a650-43d8-8080-a03c250474d3@arm.com> (raw)
In-Reply-To: <202505121340.7CA14D4C@keescook>
On 12/05/2025 21:40, Kees Cook wrote:
> On Mon, May 12, 2025 at 04:17:12PM +0100, Ryan Roberts wrote:
>> Hi Andrew,
>>
>>
>> On 02/05/2025 11:01, Ryan Roberts wrote:
>>> On 02/05/2025 01:18, Kees Cook wrote:
>>>> In commit bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing
>>>> direct loader exec"), the brk was moved out of the mmap region when
>>>> loading static PIE binaries (ET_DYN without INTERP). The common case
>>>> for these binaries was testing new ELF loaders, so the brk needed to
>>>> be away from mmap to avoid colliding with stack, future mmaps (of the
>>>> loader-loaded binary), etc. But this was only done when ASLR was enabled,
>>>> in an attempt to minimize changes to memory layouts.
>>>>
>>>> After adding support to respect alignment requirements for static PIE
>>>> binaries in commit 3545deff0ec7 ("binfmt_elf: Honor PT_LOAD alignment
>>>> for static PIE"), it became possible to have a large gap after the
>>>> final PT_LOAD segment and the top of the mmap region. This means that
>>>> future mmap allocations might go after the last PT_LOAD segment (where
>>>> brk might be if ASLR was disabled) instead of before them (where they
>>>> traditionally ended up).
>>>>
>>>> On arm64, running with ASLR disabled, Ubuntu 22.04's "ldconfig" binary,
>>>> a static PIE, has alignment requirements that leaves a gap large enough
>>>> after the last PT_LOAD segment to fit the vdso and vvar, but still leave
>>>> enough space for the brk (which immediately follows the last PT_LOAD
>>>> segment) to be allocated by the binary.
>>>>
>>>> fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real
>>>> fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real
>>>> fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0
>>>> ***[brk will go here at fffff7ffa000]***
>>>> fffff7ffc000-fffff7ffe000 r--p 00000000 00:00 0 [vvar]
>>>> fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso]
>>>> fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack]
>>>>
>>>> After commit 0b3bc3354eb9 ("arm64: vdso: Switch to generic storage
>>>> implementation"), the arm64 vvar grew slightly, and suddenly the brk
>>>> collided with the allocation.
>>>>
>>>> fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real
>>>> fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real
>>>> fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0
>>>> ***[oops, no room any more, vvar is at fffff7ffa000!]***
>>>> fffff7ffa000-fffff7ffe000 r--p 00000000 00:00 0 [vvar]
>>>> fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso]
>>>> fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack]
>>
>> This change is fixing a pretty serious bug that appeared in v6.15-rc1 so I was
>> hoping it would make it into the v6.15 final release. I'm guessing mm is the
>> correct route in? But I don't currently see this in linus's tree or in any of
>> your mm- staging branches. Is there still time to get this in?
>
> I'll be sending it to Linus this week. I've been letting it bake in
> -next for a while just to see if anything shakes out.
Sorry, Kees - my bad! For some reason, I thought this would go via the mm tree.
Thanks again for jumping on this.
prev parent reply other threads:[~2025-05-13 9:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-02 0:18 Kees Cook
2025-05-02 10:01 ` Ryan Roberts
2025-05-12 15:17 ` Ryan Roberts
2025-05-12 20:40 ` Kees Cook
2025-05-13 9:19 ` Ryan Roberts [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56655ac1-a650-43d8-8080-a03c250474d3@arm.com \
--to=ryan.roberts@arm.com \
--cc=akpm@linux-foundation.org \
--cc=alisaidi@amazon.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox