• Michael Davidson's avatar
    fs/binfmt_elf.c: fix bug in loading of PIE binaries · a87938b2
    Michael Davidson authored
    With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down
    address allocation strategy, load_elf_binary() will attempt to map a PIE
    binary into an address range immediately below mm->mmap_base.
    
    Unfortunately, load_elf_ binary() does not take account of the need to
    allocate sufficient space for the entire binary which means that, while
    the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent
    PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are
    that is supposed to be the "gap" between the stack and the binary.
    
    Since the size of the "gap" on x86_64 is only guaranteed to be 128MB this
    means that binaries with large data segments > 128MB can end up mapping
    part of their data segment over their stack resulting in corruption of the
    stack (and the data segment once the binary starts to run).
    
    Any PIE binary with a data segment > 128MB is vulnerable to this although
    address randomization means that the actual gap between the stack and the
    end of the binary is normally greater than 128MB.  The larger the data
    segment of the binary the higher the probability of failure.
    
    Fix this by calculating the total size of the binary in the same way as
    load_elf_interp().
    Signed-off-by: default avatarMichael Davidson <md@google.com>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    a87938b2
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt/kvm Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...