From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33EB0C47DAF for ; Mon, 22 Jan 2024 14:55:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 92F086B007B; Mon, 22 Jan 2024 09:55:08 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8DFC46B0081; Mon, 22 Jan 2024 09:55:08 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7CDA26B0085; Mon, 22 Jan 2024 09:55:08 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 6CAD26B007B for ; Mon, 22 Jan 2024 09:55:08 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 064831601EB for ; Mon, 22 Jan 2024 14:55:08 +0000 (UTC) X-FDA: 81707244696.13.1D22C61 Received: from mail-vk1-f182.google.com (mail-vk1-f182.google.com [209.85.221.182]) by imf12.hostedemail.com (Postfix) with ESMTP id 472D340022 for ; Mon, 22 Jan 2024 14:55:05 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=YOddojG3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf12.hostedemail.com: domain of pedro.falcato@gmail.com designates 209.85.221.182 as permitted sender) smtp.mailfrom=pedro.falcato@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705935305; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=LjET904TYP/WwjxV83kzot+nYVG1EoymjQ+8BNv7pUg=; b=ku/PDkUzUSnhiosCqyu+XyA0ss/rQ4Lo8QHiasR1rsiC+cCMIcKb6w/ALmm1/nDgTEH7hu UhxCD2dZ/Rj6Xo9W5wmBK5ODYEJEkRF4WBajCotX3S8LOtbzqDyu9fuhGgLnIxeNp2hKsV WNhfuO0Sj2t0aYots3UIK5BvWBxutew= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=YOddojG3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf12.hostedemail.com: domain of pedro.falcato@gmail.com designates 209.85.221.182 as permitted sender) smtp.mailfrom=pedro.falcato@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705935305; a=rsa-sha256; cv=none; b=uIu68vb45ihtqPID+IqbxwZ7eckThEgd8huGGdb88mWDK5Dq1Q+2sSZiJwMC5AiwLAjmeW fP+F6vbxqpLUUgqSXLkaCitFybW125clcFRIjQsQIyxfuKBPB8WBomL9X2c754j8XjT0YV Ji5T6LrJCSq+9bZhsDzLdYZwO6qXZFM= Received: by mail-vk1-f182.google.com with SMTP id 71dfb90a1353d-4b7e4a2808bso762136e0c.1 for ; Mon, 22 Jan 2024 06:55:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705935304; x=1706540104; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LjET904TYP/WwjxV83kzot+nYVG1EoymjQ+8BNv7pUg=; b=YOddojG3eq1YJnM/wpHnYjssFT7HjZdBmKbe4CuXUzsrL6K0JJib7W6bV0APTsiP52 l/7VbdnyNDTTNwYF6umG96LmeDw24N+4iL4cf0xzDBe6Mzlu7Ovu899glLlbsUyAOxSh RiXnvSQ/dHw/X1FgNDXLpqFTiQCtwFTrTTF8UWC9Zu5FEeq8hTuTBdRv5ZFudhA/Tmax Bkh1MRlM+um6XRlcs3PMZ9k4vD4uQqVOiJftVFb6EEr00VATGatU5fv+nvTqeSl2BCqY fd7wxGLC75bt2G6/odFqwSc2voxgdsHfksFJFWDJEEQT+TEOZz3E/H4ZNNgPma+Lzsf7 K/6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705935304; x=1706540104; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LjET904TYP/WwjxV83kzot+nYVG1EoymjQ+8BNv7pUg=; b=S8FwWExn6gB3PEiecFuzkx5MCkeOLvWGOoV/R44S0HOoumfppku/2xUVid3NJbVGEm d4JuGG+sNbRnA0Ku/S3leQtRSCfKsGETfUy+R8OR10L3AAx7UwbxhFAwTzZJuKncv1Ju i4hjNH7nQ9JzL6FYghgVNNDoy+SD+OySW1m/ldSd/LO/jfI5Xi4/FcmjXgpn5/c+10ik rldLBAxuzXdbQ6/8td6VtU3IenF5ZQKChPP9OJFu6m+hVHlOWMVZBtQpjIN43orKpr1G 1RHjAyfDBocrSxw42L6ScXCe0EX1kFrmps1jHfwSYk48fasW752xrhw0dFViT9U3kFJ1 b0Ow== X-Gm-Message-State: AOJu0YyJ/LemzDybRfeibpemGRd/ZmjJyNCFMeNPEYJ1RuLeXpHrObPl 8HHP7XTY0rYelL6o0t+UXAafsNTrkdzROAzRy+hywVBlKvkQL2eYHHkLUa/UP4tJ5lpcr7ewj8m /u6zEg1dWIJMsMAkJPy7mGDoJ4T4= X-Google-Smtp-Source: AGHT+IExbbr5WjMkq6GXFtSkH5uHwA9GL8oL5jWqvfZ9dk2l185iqKslGfr7EIvhkIFxu3lsDyPY/N1lddLUY9GBAnk= X-Received: by 2002:ac5:c957:0:b0:4b6:b867:c83f with SMTP id s23-20020ac5c957000000b004b6b867c83fmr1344493vkm.22.1705935304361; Mon, 22 Jan 2024 06:55:04 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Pedro Falcato Date: Mon, 22 Jan 2024 14:54:52 +0000 Message-ID: Subject: Re: Recent-ish changes in binfmt_elf made my program segfault To: Jan Bujak Cc: ebiederm@xmission.com, keescook@chromium.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 472D340022 X-Stat-Signature: 6diswjrn5ho43udfi1sgbah4xifgzzmi X-Rspam-User: X-HE-Tag: 1705935305-513060 X-HE-Meta: U2FsdGVkX18J0BtiNc/RQlEBJERqCtGxJXmK5EipZ9VCJua7VOViqNzcaMrPPKwawDZJxJinEm1OtVuDkUVYiIb9uhiAGx5fTufaHvpcOyCwwnJp1oPMTHMHa2mQLwubyU529PExSFqAdXUMMdYucMqQZJ6q2lq8wb8MVYtnzmhTDa/6aXwyF1F2bUz/EyTA2k1NRhYekCUUrPeURQ/4OqIhLoVdmLcNE1+NyD4J4InHLX1aVo1wxHoYNEN5BW/7mqQYl/4KoWSbtl3yon7Baj4lkN1RqEnJUK6yuv1LwUQZtxujudoIyvFndwTbkwQajB+qOry9dfZBXhhz61bhqcWB6qm/eKVJuzmw/Z6jCJ4y/QzJNDbk7Gt5CDc5fPbGdo4jfcbU1hs0OVxoQ/geYO1PhrImFwEQnks6935i0PvkYK9MDzdYsrYGuAlcx7Vz9fhMKwj7NkyIrPN5nlW1kCXLPETMf+lsd3Rgo8GJaH4oNwBwrgnVzaNSpUkkh4SQA1bRtLRv0yKA8ag0+mhmSSF3E9VuZzOme/A9lzNL1pMvBJy4cvZCsl7DxWfcvVoRqTPVZBMlCQ5iSLsajPM1BPAbkJ3l+2A6ZiKGd9zgkw124LQ7fQ92FwLs6Zf1dC2OTr1bhFfh0vQNGR8VAT35jFXMNobJiFCI1Kt8InxOqHllGYnaef6RHcsanWSWNm9J9rOQ7KIYm6JRW17qu8N/1FjcolGmOSEcLhUbXH54MQE1b7BMQMS1c5CRjjZTi2fTWH/Edpyu8HwPIEbY+T/RnJBmckCLDOdli3IHVOUG0NfP/97waV830uC3Gv6b6yrRnD3MktNxBrfGCSdMRJ6pz3UKI6lW8sv5It+ySAy0SLKhmgo5ydgFqEy6ekjnswUKZ6N9+dvPWyfRxxMkF5gzVbfGHqJJQqC776ciYumeo8t4zyg51IPL6O783lSysTjf3VnwAxhctuivba0Zki3 FV25M0p0 CiT2AjvlbxgpO48d1UHag0MM82CaDzFmuF7cTFE0QY0CdzroKTIPze8OMDpoxOxd1hVec7ppy739uom1QB+zHaDKGie/l+TxoxD61/trWBvk97Pb9sdzxt/xfouZeL+Q2+miHUDd0EuOI7BMu7m6LONVr7Dg0nK7yvqq5VRD7nLEG7Lgd2UvdeTJ5lO9kqkTZrkxU7CC22TXeBNglVMxfxdevrgdxH0gQvkYWSVE3tyw+gO6t2QEF6SJnWkBUZO0dY/CUTkxP066epYrXT4AYPAnEZHqHvvzFLITmJnTSqVxAdHXwrlQSElQTsFV9IDuLNQNUMa2+T/8dkaItv0TQkxQ0Z0LWQFM2dUT/e8rgn3x5LQR/0zgbAKyxRikAj4R5rwV43lEM7wEGTsXdP6POuDsyFwPbzyO+RYLy8aKQAFMc8d2bj7GwcygnkERvznSboOk53Ksj5H2xOu74ZcfwsZ89XMY3wBh+vq27cQSkRtGUKA2NYWcW7CR0vBGFptfwFZbtIxdgyPaYlbJw2Pne+Rk297EsPOaiRLxc+nv5lyZSGpCpRSaLqtKUVKg1DJAcN/CQwNStbWW0Gtg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000030, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Jan 22, 2024 at 12:16=E2=80=AFPM Jan Bujak wrote: > > Hi. > > I recently updated my kernel and one of my programs started segfaulting. > > The issue seems to be related to how the kernel interprets PT_LOAD header= s; > consider the following program headers (from 'readelf' of my reproduction= ): > > Program Headers: > Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align > LOAD 0x001000 0x10000 0x10000 0x000010 0x000010 R 0x1000 > LOAD 0x002000 0x11000 0x11000 0x000010 0x000010 RW 0x1000 > LOAD 0x002010 0x11010 0x11010 0x000000 0x000004 RW 0x1000 > LOAD 0x003000 0x12000 0x12000 0x0000d2 0x0000d2 R E 0x1000 > LOAD 0x004000 0x20000 0x20000 0x000004 0x000004 RW 0x1000 > > Old kernels load this ELF file in the following way ('/proc/self/maps'): > > 00010000-00011000 r--p 00001000 00:02 131 ./bug-reproduction > 00011000-00012000 rw-p 00002000 00:02 131 ./bug-reproduction > 00012000-00013000 r-xp 00003000 00:02 131 ./bug-reproduction > 00020000-00021000 rw-p 00004000 00:02 131 ./bug-reproduction > > And new kernels do it like this: > > 00010000-00011000 r--p 00001000 00:02 131 ./bug-reproduction > 00011000-00012000 rw-p 00000000 00:00 0 > 00012000-00013000 r-xp 00003000 00:02 131 ./bug-reproduction > 00020000-00021000 rw-p 00004000 00:02 131 ./bug-reproduction > > That map between 0x11000 and 0x12000 is the program's '.data' and '.bss' > sections to which it tries to write to, and since the kernel doesn't map > them anymore it crashes. > > I bisected the issue to the following commit: > > commit 585a018627b4d7ed37387211f667916840b5c5ea > Author: Eric W. Biederman > Date: Thu Sep 28 20:24:29 2023 -0700 > > binfmt_elf: Support segments with 0 filesz and misaligned starts > > I can confirm that with this commit the issue reproduces, and with it > reverted it doesn't. > > I have prepared a minimal reproduction of the problem available here, > along with all of the scripts I used for bisecting: > > https://github.com/koute/linux-elf-loading-bug > > You can either compile it from source (requires Rust and LLD), or there's > a prebuilt binary in 'bin/bug-reproduction` which you can run. (It's tiny= , > so you can easily check with 'objdump -d' that it isn't malicious). > > On old kernels this will run fine, and on new kernels it will segfault. Hi! Where did you get that linker script? FWIW, I catched this possible issue in review, and this was already discussed (see my email and Eric's reply): https://lore.kernel.org/all/CAKbZUD3E2if8Sncy+M2YKncc_Zh08-86W6U5wR0ZMazShx= bHHA@mail.gmail.com/ This was my original testcase (https://github.com/heatd/elf-bug-questionmark), which convinced the loader to map .data over a cleared .bss. Your bug seems similar, but does the inverse: maps .bss over .data. --=20 Pedro