[RFC PATCH] binfmt_elf: Fix PIE execution with randomization disabled

From: Josh Boyer
Date: Thu Sep 29 2011 - 15:54:49 EST

Next message: Konrad Rzeszutek Wilk: "[PATCH 7/9] xen/xenbus: Check before dereferencing it."
Previous message: Konrad Rzeszutek Wilk: "[PATCH 6/9] xen/irq: If we fail during msi_capability_init return proper error code."
Next in thread: Andrew Morton: "Re: [RFC PATCH] binfmt_elf: Fix PIE execution with randomizationdisabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We've had a bug report[1] of some PIE programs getting a SIGKILL upon exec
if you disable address randomization with:

echo 0 > /proc/sys/kernel/randomize_va_space

I tracked this down to get_unmapped_area_prot returning -ENOMEM because
the address being passed in is larger than TASK_SIZE - len for the bss
section of the test executable. That filters back to set_brk returning
an error to load_elf_binary and the SIGKILL being sent around line 872
of binfmt_elf.c.

H.J. submitted an upstream bug report [2] as well, but got no feedback
and we can't view it with kernel.org being down anyway. He came up with
the patch below as well, which is what I'm sending on for comments. The
changelog is my addition, so if that is wrong yell at me.

I wanted to get some more eyes on this, because the current code sets
load_bias to 0 unconditionally on CONFIG_X86 or CONFIG_ARM. I have no
idea why that is. The original execshield patches had an #ifdef on
__i386__ but the patch that was commited to add PIE support has the
CONFIG_X86 setting.

Thoughts welcome.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=708563
[2] http://bugzilla.kernel.org/show_bug.cgi?id=36372

josh

---

From: H.J. Lu <hongjiu.lu@xxxxxxxxx>

Set the load_bias for PIE executables to a non-zero address if no virtual
address is specified. This prevents us from running out of room for all
the various loadable segments when ASLR is disabled.

Signed-off-by: H.J. Lu <hongjiu.lu@xxxxxxxxx>
Signed-off-by: Josh Boyer <jwboyer@xxxxxxxxxx>

---

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 303983f..069ee29 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -794,9 +794,14 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
/* Try and get dynamic programs out of the way of the
* default mmap base, as well as whatever program they
* might try to exec. This is because the brk will
- * follow the loader, and is not movable. */
+ * follow the loader, and is not movable. Don't use
+ * 0 load address since we may not have room for
+ * all loadable segements. */
#if defined(CONFIG_X86) || defined(CONFIG_ARM)
- load_bias = 0;
+ if (vaddr)
+ load_bias = 0;
+ else
+ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE);
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Konrad Rzeszutek Wilk: "[PATCH 7/9] xen/xenbus: Check before dereferencing it."
Previous message: Konrad Rzeszutek Wilk: "[PATCH 6/9] xen/irq: If we fail during msi_capability_init return proper error code."
Next in thread: Andrew Morton: "Re: [RFC PATCH] binfmt_elf: Fix PIE execution with randomizationdisabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]