From patchwork Mon May 18 17:35:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 225537 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96B3EC433E2 for ; Mon, 18 May 2020 18:32:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6978820657 for ; Mon, 18 May 2020 18:32:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589826726; bh=NYb8c7J1Gfowmxh8CILJGefXONSD55TVtFOevI5w1/U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=plRWdg8W9LcELFOHHNsB5OVwuSRFVhU4+fWkOYiIXXPLbJ63PZh1zNB1cJwqCLfLL HpHp2XiRVODHCQ3mZ/NZqoE4/IQGv3D+QXjfLEyom7Y1bOzcSMbWH/AqUqpEYcN3+y htzBv3KO/M2Ws6ERP1QzjMjHz1gOrJoQny+2RnD4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728624AbgERRiv (ORCPT ); Mon, 18 May 2020 13:38:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:33114 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728615AbgERRit (ORCPT ); Mon, 18 May 2020 13:38:49 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 494E020878; Mon, 18 May 2020 17:38:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589823528; bh=NYb8c7J1Gfowmxh8CILJGefXONSD55TVtFOevI5w1/U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yspssO0xEbYpC+8kHMgWJbbeI0iU9h0LKqDJgSlSbXmW2EpLYa8G7yfswLWS1p/n0 O61Qr9ptjF9Z7uQqOXO+1WNEJXMyMHkTYmEtXXjpbyrJ6JsiQ4A7m2WoZz1D4nr2OC FLhmMkGeC1JK95wi9Cpdj66sWk4t3ZYm2yOQE8l4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Linus Torvalds , Guenter Roeck , Richard Kojedzinszky Subject: [PATCH 4.4 19/86] binfmt_elf: Do not move brk for INTERP-less ET_EXEC Date: Mon, 18 May 2020 19:35:50 +0200 Message-Id: <20200518173454.352345138@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173450.254571947@linuxfoundation.org> References: <20200518173450.254571947@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kees Cook commit 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 upstream. When brk was moved for binaries without an interpreter, it should have been limited to ET_DYN only. In other words, the special case was an ET_DYN that lacks an INTERP, not just an executable that lacks INTERP. The bug manifested for giant static executables, where the brk would end up in the middle of the text area on 32-bit architectures. Reported-and-tested-by: Richard Kojedzinszky Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman --- fs/binfmt_elf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1104,7 +1104,8 @@ static int load_elf_binary(struct linux_ * (since it grows up, and may collide early with the stack * growing down), and into the unused ELF_ET_DYN_BASE region. */ - if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && !interpreter) + if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && + loc->elf_ex.e_type == ET_DYN && !interpreter) current->mm->brk = current->mm->start_brk = ELF_ET_DYN_BASE;