From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51666C54E67 for ; Wed, 20 Mar 2024 20:31:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B0FCE6B0089; Wed, 20 Mar 2024 16:31:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AC0256B008A; Wed, 20 Mar 2024 16:31:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 987346B008C; Wed, 20 Mar 2024 16:31:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 861266B0089 for ; Wed, 20 Mar 2024 16:31:37 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 214B71A04D5 for ; Wed, 20 Mar 2024 20:31:37 +0000 (UTC) X-FDA: 81918563034.15.BF6A46E Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by imf07.hostedemail.com (Postfix) with ESMTP id 4AF1B40023 for ; Wed, 20 Mar 2024 20:31:35 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=MD7bErSh; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf07.hostedemail.com: domain of jcmvbkbc@gmail.com designates 209.85.215.179 as permitted sender) smtp.mailfrom=jcmvbkbc@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710966695; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MDxbUkBjk4CfBwXEKRf8dRtsz89f25MfMN5IRAlH4Dk=; b=hZDYtR2b3gna9l2LzgWuoC1+HFxjHC8VLg5nNWp9O/diZGgqz2yUR83VlMWdtLiirvj8/n VzcsKm3bTRH+MlGAINdsdEd2ZAsPrRolm2rrtHNmjLCMrd+GrKmx5xr72z+RcJRAKsbGoi GyGlEfAFgz2wiEjNJtPBk0s2K9Jv4Ks= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=MD7bErSh; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf07.hostedemail.com: domain of jcmvbkbc@gmail.com designates 209.85.215.179 as permitted sender) smtp.mailfrom=jcmvbkbc@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710966695; a=rsa-sha256; cv=none; b=v00e83WGr0Mf54viVX0kJ3zIWT9rnzCHGwYi+O8BiBJoogTUJ8FNsj+obZ8NwpPN9wnJdt zy5C+UXvCH+Df/Q63McEFAMDylpixF2dMs4gY2hYjqc6qnNKv/G//q1lB3u0x265ywMpsO yaOYh02tQGr1BhsqW4u6pzLgtb8F6hQ= Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-517ab9a4a13so195681a12.1 for ; Wed, 20 Mar 2024 13:31:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710966694; x=1711571494; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=MDxbUkBjk4CfBwXEKRf8dRtsz89f25MfMN5IRAlH4Dk=; b=MD7bErShQ76EBs7NjYUNxaH6q370aDsf2HX6qwIU/MDAYQWRAtrUeVpcWBG2kIU0nH xIiML6LqriQIoptevk+PkMZpgq3nXpew35eOKFu1EeHkWLx+9u3a63TwyCmuOVAfZnqA gh+l0gqEyKD/SPrrKlKsKiwaM7erhKUZQTw0Pkv0BuI0R+X5RXnEmEsdv//PoTyp34x9 +yo8kpkxHR+7KLXhzgu4vjaaDLMFBlWhmFbVwMNMSpLN3mM4Y8Z0c7AgkC/pCBCL9/Yo 5ESciqyqr8gR0C0pMye+Q0+M42Ccx90z9bDzDAdPI3EQCJ6oHZwto0b72LIAVkUpBzER mhVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710966694; x=1711571494; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MDxbUkBjk4CfBwXEKRf8dRtsz89f25MfMN5IRAlH4Dk=; b=jxNKVOyOEQrjQ3xsUL23wWK3jgtUUlJp0IcAHOI0R5tOxEHvjPZ7Hu0d2UE6t0M5ru CxQYcMZ5qRPUK1jBKhjjQovpFnU6E3OCPj/nvyal5YQoTTr5E8r46BEjz+oxTpp/Jsqd B9KBXqMrHTuFDf57IlPtYAtIsIfvBj2UEFZA/+ILjX7C+1ivYBOrOi7QoVqdsxfXO/iv 9mhLTN55oXTOnm2rR3dX6vqdpB0IOHY44YZBvs15M2xcOivCCPQrMUIHrBQUtsYXrcYI VySzUMjgqcQ0UgsUG7UEWpnH3FYV5O0CFRffKs3b/pVZqYW8wSQOKFWuK6P9zdWAW7vn 7ngQ== X-Forwarded-Encrypted: i=1; AJvYcCXEYz2+58OKl1M/dODj+XtCV4olAks3yNyypPW00g/b+mk+yd9Zte7TdeR1f9UwRJsay5QAzfAb9oELAmVnLuipc2k= X-Gm-Message-State: AOJu0Yy0caibj0WjuHhm+bfOhxx+JCbeBUH5j7wY0cATEr9H1ahLtPvF iJNPm/ZHiQOxSryxiBs/AmOoj/XjDGW0HivvcO1+C6VpyavO9ZoIdsCOA1wkp++5wDLm5a59qgs PWlFxhy2zt5Aza04AoVVW3Kk73MA= X-Google-Smtp-Source: AGHT+IHAab/9jqTa5zNphG2tQeRstGzN3AZLZGJkHzVD8WS1O1KnA51gP4O2XQ9c00tGS/TbRDfVXnZUvtDSfcj+l+I= X-Received: by 2002:a17:90a:c24b:b0:29f:91bf:12f4 with SMTP id d11-20020a17090ac24b00b0029f91bf12f4mr3146775pjx.42.1710966693926; Wed, 20 Mar 2024 13:31:33 -0700 (PDT) MIME-Version: 1.0 References: <20240320182607.1472887-1-jcmvbkbc@gmail.com> In-Reply-To: From: Max Filippov Date: Wed, 20 Mar 2024 13:31:22 -0700 Message-ID: Subject: Re: [PATCH] exec: fix linux_binprm::exec in transfer_args_to_stack() To: Matthew Wilcox Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Rich Felker , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4AF1B40023 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 3wgg6jgutosacq173qpd7o479ta36411 X-HE-Tag: 1710966695-274627 X-HE-Meta: U2FsdGVkX1+gABEftahOhAL8IAoa5b5aMEStKHg9qbWhtWg+5htHTaqD9iv1Gw7M/XmbXZt5+bX0wWSBJr8w0RFioJpr3ba8O+yIQYMOF4Ei8A1rql7XpWVcxCA/9fJ+p94vTcBNZFQ25Q4K40Pr9x9keq+ilFuCNLkAauYF9Q0kt9XsL9vWaa7lksSRsR6FDURrev2E+M9vXeu1fLzcldf/miQA+hVB1WpxOvzCBEyaxj78D3QfM2C4d8fYHjs3nN0i8yZK0M/G0ZN5v18lU3QbRO8pfIruXa//Tg3kOYycJJ0o4av0mzLLV5C3e8skNS0CHiJoKzl1Y3CErKpMbZt5BIE+K/wb8zzv8n0cg1YvozLRv8CmqPqO/dWuNatz3bXyadNW7OuHU2G6RRKFjtB4ZAbukl06mT+44KVV0gFiRNm3r40PC1PRjb5p/I8Mao4Vse8NoLr1QqifydpCjCU3MkNpADqv6I+iweNYA2iU2zXcq2dt8mYE3QQlq7gbwPB2UsIH9P+Fe4lhoYIFvsiYpCKLAB0N9bCaEJRiw7l6CRKGpuqVCRQR5d2QkT0K/eELNhXiqWlBcC5Gq8ZpUgbSWUhwF5aVFjOXLyCcVvjJz476v0eg6321E01d11cVZjx763FmFo1BZ1qxd8FIySZKrr0E4uZSHU5EFWAMcZ066YbdYhcdCk4km7XRb8DWJGvh3bc7iy1kwh+DaAkGrL4qon/TJ561XrQRP6qy0Zq2e2pzKP1PBgs+H3pPuOZ5y/L0fPWLrAEvUSTGfPUcQ8jukksZfqPrCoYmocCPNVkemtyzHi7fNaz0iOYh9Alk8tKx4oTEF7yB8nuXxmPElV+BH40RJXWGk+WT6/zvkqQTx2DrgCPo4t5sIa6wAVRT8XsHjlvMIWUM/Hbo97PLR4tzIkVlZHjSpIk2Uqq/r2amyhdCKw3F9F0WAPdQZYSaWfQTfXPKlS6N6+gJ89H iXwvDPoG eVCcnSmzqJuNGl5WRNE6kbgS6VfeR5Goja9UlBLU8prtcW3Fn+uG/jvMl3NELpEUKaYYF35TVDoI2BaV0weU7ie7l93CyuXUkyEu3YWDaSXt5nPsbRkaPQStiC+Zj6n/CTDiE1TpxTLPVvur7qMg8odpp8Kdm99ykT4znX2DsTf99PeYUoSn4fQX4VWNw28MeqgopSXJPVPq4PrvaqJ1T7M497QlSyNC/oxh5wmhAspQ8aF82vrCDtaVWcG4lToUPPZY6ijYy5oYWAqyPJzsP35WZYdcv93xe0BiSIFpIDEDyTS0iMEMdEFtH2g+CNwWqfIza1fi8EPS/cZlzMnnCVtu1e4RM4Yr/hqQqH5fJrg7UvUlaW6WkK5RVyq4ExRVrVBI/jS4loB0EypgqV2mF3LwXrlX2QTutd5ir1rjeZtPO+EdKhRaSB6F2XM8IxcenqfhY9cDLDcLyoyU= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000019, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Mar 20, 2024 at 12:29=E2=80=AFPM Matthew Wilcox wrote: > > On Wed, Mar 20, 2024 at 11:26:07AM -0700, Max Filippov wrote: > > In NUMMU kernel the value of linux_binprm::p is the offset inside the > > temporary program arguments array maintained in separate pages in the > > linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p > > thus must be adjusted when that array is copied to the user stack. > > Without that adjustment the value passed by the NOMMU kernel to the ELF > > program in the AT_EXECFN entry of the aux array doesn't make any sense > > and it may break programs that try to access memory pointed to by that > > entry. > > > > Adjust linux_binprm::exec before the successful return from the > > transfer_args_to_stack(). > > Do you know which commit broke this, ie how far back should this be > backported? Or has it always been broken? >From reading the code I see that linux_binprm::p started being an offset in the commit b6a2fea39318 ("mm: variable length argument support") which is v2.6.22-3328-gb6a2fea39318 and filling in the AT_EXECFN aux entry was added in the commit 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE") which is v2.6.27-4641-g5edc2a5123a7. I don't see any translation of the linux_binprm::exec at that time so to me it looks like it's always been broken. -- Thanks. -- Max