From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39E5DC25B74 for ; Mon, 27 May 2024 16:32:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C10CE6B008A; Mon, 27 May 2024 12:32:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BBFD76B0092; Mon, 27 May 2024 12:32:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A87A36B0093; Mon, 27 May 2024 12:32:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 876BD6B008A for ; Mon, 27 May 2024 12:32:19 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 195EBA3411 for ; Mon, 27 May 2024 16:32:19 +0000 (UTC) X-FDA: 82164718398.17.41AEBEF Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf08.hostedemail.com (Postfix) with ESMTP id 071E9160006 for ; Mon, 27 May 2024 16:32:16 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=fAZ5gP7L; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf08.hostedemail.com: domain of kees@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716827537; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=aTu3yYluwH7J7n2cAvFkr1NxMCfQmB7Ka7LCHvdVLQs=; b=jygOA+S1MezCBx3GRg57kZse4c2sjAoBWocs6OrUvJ+6vHdp4luP8fby7cuIbF1VLFBsv5 Wj+neENSfPsoC6d6y1Z++IBgsD0rtzJc2BsCRCp/nIaEUp2Bs0Pxh2v1I+GmXELDwaqApC NTzJGmX+SwywXv/bzRZUWE7rSbUhpAo= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=fAZ5gP7L; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf08.hostedemail.com: domain of kees@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716827537; a=rsa-sha256; cv=none; b=1lCb9IO2XHg59PBcQapAmEE+E/7sU0bhyZhzEQUrJjsGHCVY2TBtKviKl/5Vd6iXE+6gVD 6l5Z2uApPtAd9+bHCRBCRstCpQm8HoGEXBWFUzFpUw7Cl1cNNOQJmDtrrU1oO1LIsyueWw uGDSRa4FR4t6aRcj6nEXDixOaJ/edFI= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id A6490CE0FE5; Mon, 27 May 2024 16:32:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D35A0C2BBFC; Mon, 27 May 2024 16:32:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1716827532; bh=DNt0Dh22pTekgmdMN3R8pCvCQ6794P7yP++KToqrJ6c=; h=Date:From:To:CC:Subject:In-Reply-To:References:From; b=fAZ5gP7L/bpEQiNYnCKxA1zrJPwpwbz+r2vt/Uuid0n//IqCLA+IkAacwVu/pH+EL 54TvL7f1Hm+t93mVqp7u59XUA6NFVbeekNtOjh2ZhuepAVtTZFhChJ3GwD1ogeZzHF B90lfC/mSPDnw4hJdy206TP4rl0+i2oLIMq85/G1KxhxzLyRpi5KCIUNhwFvpKOYuG fhVxnO5HXwncThmL/AdIfiPqRc/gJYlQ7M8Vn7edHKuJsTTeiia2JmBFa/67PpyTWD mhVzTBGkNimvk39hKaNZjO2XKROrgOzhIwT+3f10abKo2laedmIlDAwHcMCtD2ml5E KtIdN/f0XfX8g== Date: Mon, 27 May 2024 09:32:13 -0700 From: Kees Cook To: Sasha Levin , linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: Kees Cook , y0un9n132@gmail.com, viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: =?US-ASCII?Q?Re=3A_=5BPATCH_AUTOSEL_6=2E9_12/15=5D_binfmt=5F?= =?US-ASCII?Q?elf=3A_Leave_a_gap_between_=2Ebss_and_brk?= User-Agent: K-9 Mail for Android In-Reply-To: <20240526094152.3412316-12-sashal@kernel.org> References: <20240526094152.3412316-1-sashal@kernel.org> <20240526094152.3412316-12-sashal@kernel.org> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 071E9160006 X-Stat-Signature: adi9igsp6mawgobw97eys434n1g5uwst X-HE-Tag: 1716827536-47166 X-HE-Meta: U2FsdGVkX18dtsanysg0HxbM0fqFmQzfr843wjsjn0Mvg3dQi7aUxJ8k3q6afZLpxJ13RfvAGefhBOXMUIOxlVNAF2c+0gLXFSVShgLI3TfliKSjxhSlUf8HxCES+1xRyIinPXaNqYeS0/9kVfmsntQ+xauzHy7h8Zmng9lDqSVqTrf9yd8771PAim9SSsA06K+fhANERGYU3EccGpUeN1BEMtrzMkvyrG2iowgO/bgGgTRxVjUgWW1oFhco0b7WQA5HcASivLJiMkLhUH0svS9BUIadPF0uxRGqKaNMkLnyk8n8eqOiPF9s2hS21pdVriovQ6IkLAO5I660d8VKA89NmPJ/HI+mBb0fT2cbnwZ7j1suHMGM4FrLMNk6bOLt/3rNrStIr+Tv+MYbu6S9ZiAptvC5QJvMlojVhx0Thv1nqpjqPwcOYxTP+INGpMUy4r8Oo5RAfKL4psxCiDXuXKDEdOvjFoQ9/FnKI1Uo174B9JPGTSRcLU3Vh6I6RADDJfVmPIp+oPulhPdskRcTsM9+F/J3ZMq6iNgAxCQ37/OwG4eZWvXUFx6GOS9R2U4rz8z9gJFR+cjclJ+o930M+JZoAJXCBMwyC6CGUcbYVcGXg6JYsqi7XcnN/PNu87bB4P4kha+qvPuvIKf3rh6HW5MfZVmV+3JTYm790knfOdvMnJpq0mWhidgycWr3NjNeq73JDDSWX75FzuY0vohkO5muNDzyAzmei7dMtrvue0yryX2Hvxfs38mFYATslqlaHbAAk9veYzxLMSOSFsCbOL2x8uRT2MbEH1shSMu/p51qKa7eQL2uqtmjeAxGyd/B60bPbyXGTF/XZTwIGvhIQBCpe080POIb4akFy/wdpfmgBVdLSOJOwNaJuT3c/l09GB3/omq4e3dm81WSIGOaZLi/+ibndGO57wZJkdqYEI9BXRDuVYR8371cxwcd7Tqrz1Y6JzZdCH5XKySpkm1 Y8E+tDZq +oxirGXQPS1yBFyVZWB3YGYIzngyedV92lLwrRdEs5MiI3yRo0+7kp6f46UdC/xwZHIFzhCuHTUjwNxHWar3R/hnJYuktpW6Mof+YZpjyiuulNKze1iZRbYYIAT8jOJuM+fAGfLDOc/3zdI7utpUQTt2rE9m+1jRjO3kQU7poYMcLVt27bQ0+mlp3MTYYAQrH5YPL1D8UpAIIhPOhAFANvSBjerWZg30OYf66oWT4shXLNJ/jdEuMnqMbAZfhjxE+cgrqYXPF3XkLc9mbh2YbO1h76AfKY3Z1kwaNOgrSfwxGTzWdorE6KwWZcWq/3XbVSSPn/r+IwESOomRU4dRWxOr4V3iMHP5Zoyq6MeKbWuxVFg/c5AWKgFSEV0WLZUp9pmfTa6AfXRyjYBOwaoCewS4p8M2kGmAFQXUabCAFphvJUB9yhFVco9USRQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, Please don't backport this change=2E While it has been tested, it's a proc= ess memory layout change, and I'd like to be as conservative as possible ab= out it=2E If there is fall-out, I'd prefer to keep it limited to 6=2E10+=2E= :) -Kees On May 26, 2024 2:41:44 AM PDT, Sasha Levin wrote: >From: Kees Cook > >[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ] > >Currently the brk starts its randomization immediately after =2Ebss, >which means there is a chance that when the random offset is 0, linear >overflows from =2Ebss can reach into the brk area=2E Leave at least a sin= gle >page gap between =2Ebss and brk (when it has not already been explicitly >relocated into the mmap range)=2E > >Reported-by: >Closes: https://lore=2Ekernel=2Eorg/linux-hardening/CA+2EKTVLvc8hDZc+2Yhw= mus=3DdzOUG5E4gV7ayCbu0MPJTZzWkw@mail=2Egmail=2Ecom/ >Link: https://lore=2Ekernel=2Eorg/r/20240217062545=2E1631668-2-keescook@c= hromium=2Eorg >Signed-off-by: Kees Cook >Signed-off-by: Sasha Levin >--- > fs/binfmt_elf=2Ec | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/fs/binfmt_elf=2Ec b/fs/binfmt_elf=2Ec >index 5397b552fbeb5=2E=2E7862962f7a859 100644 >--- a/fs/binfmt_elf=2Ec >+++ b/fs/binfmt_elf=2Ec >@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bpr= m) > if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && > elf_ex->e_type =3D=3D ET_DYN && !interpreter) { > mm->brk =3D mm->start_brk =3D ELF_ET_DYN_BASE; >+ } else { >+ /* Otherwise leave a gap between =2Ebss and brk=2E */ >+ mm->brk =3D mm->start_brk =3D mm->brk + PAGE_SIZE; > } >=20 > mm->brk =3D mm->start_brk =3D arch_randomize_brk(mm); --=20 Kees Cook