[PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk
       [not found] <20240526094152.3412316-1-sashal@kernel.org>
@ 2024-05-26  9:41 ` Sasha Levin
  2024-05-27 16:32   ` Kees Cook
  0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2024-05-26  9:41 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Kees Cook, y0un9n132, Sasha Levin, viro, brauner, linux-fsdevel,
	linux-mm

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ]

Currently the brk starts its randomization immediately after .bss,
which means there is a chance that when the random offset is 0, linear
overflows from .bss can reach into the brk area. Leave at least a single
page gap between .bss and brk (when it has not already been explicitly
relocated into the mmap range).

Reported-by:  <y0un9n132@gmail.com>
Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/binfmt_elf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 5397b552fbeb5..7862962f7a859 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
 		    elf_ex->e_type == ET_DYN && !interpreter) {
 			mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
+		} else {
+			/* Otherwise leave a gap between .bss and brk. */
+			mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
 		}
 
 		mm->brk = mm->start_brk = arch_randomize_brk(mm);
-- 
2.43.0



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk
  2024-05-26  9:41 ` [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk Sasha Levin
@ 2024-05-27 16:32   ` Kees Cook
  2024-06-19 14:28     ` Sasha Levin
  0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2024-05-27 16:32 UTC (permalink / raw)
  To: Sasha Levin, linux-kernel, stable
  Cc: Kees Cook, y0un9n132, viro, brauner, linux-fsdevel, linux-mm

Hi,

Please don't backport this change. While it has been tested, it's a process memory layout change, and I'd like to be as conservative as possible about it. If there is fall-out, I'd prefer to keep it limited to 6.10+. :)

-Kees



On May 26, 2024 2:41:44 AM PDT, Sasha Levin <sashal@kernel.org> wrote:
>From: Kees Cook <keescook@chromium.org>
>
>[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ]
>
>Currently the brk starts its randomization immediately after .bss,
>which means there is a chance that when the random offset is 0, linear
>overflows from .bss can reach into the brk area. Leave at least a single
>page gap between .bss and brk (when it has not already been explicitly
>relocated into the mmap range).
>
>Reported-by:  <y0un9n132@gmail.com>
>Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
>Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org
>Signed-off-by: Kees Cook <keescook@chromium.org>
>Signed-off-by: Sasha Levin <sashal@kernel.org>
>---
> fs/binfmt_elf.c | 3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
>index 5397b552fbeb5..7862962f7a859 100644
>--- a/fs/binfmt_elf.c
>+++ b/fs/binfmt_elf.c
>@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
> 		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
> 		    elf_ex->e_type == ET_DYN && !interpreter) {
> 			mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
>+		} else {
>+			/* Otherwise leave a gap between .bss and brk. */
>+			mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
> 		}
> 
> 		mm->brk = mm->start_brk = arch_randomize_brk(mm);

-- 
Kees Cook


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk
  2024-05-27 16:32   ` Kees Cook
@ 2024-06-19 14:28     ` Sasha Levin
  0 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2024-06-19 14:28 UTC (permalink / raw)
  To: Kees Cook
  Cc: linux-kernel, stable, Kees Cook, y0un9n132, viro, brauner,
	linux-fsdevel, linux-mm

On Mon, May 27, 2024 at 09:32:13AM -0700, Kees Cook wrote:
>Hi,
>
>Please don't backport this change. While it has been tested, it's a process memory layout change, and I'd like to be as conservative as possible about it. If there is fall-out, I'd prefer to keep it limited to 6.10+. :)

I'll drop it, thanks!

-- 
Thanks,
Sasha


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-06-19 14:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20240526094152.3412316-1-sashal@kernel.org>
2024-05-26  9:41 ` [PATCH AUTOSEL 6.9 12/15] binfmt_elf: Leave a gap between .bss and brk Sasha Levin
2024-05-27 16:32   ` Kees Cook
2024-06-19 14:28     ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox