From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by sourceware.org (Postfix) with ESMTPS id DEA783858400 for ; Tue, 8 Mar 2022 09:45:29 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DEA783858400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D55DB6120A; Tue, 8 Mar 2022 09:45:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 11416C340EC; Tue, 8 Mar 2022 09:45:25 +0000 (UTC) Date: Tue, 8 Mar 2022 09:45:22 +0000 From: Will Deacon To: Kees Cook Cc: Mark Brown , Catalin Marinas , Szabolcs Nagy , Jeremy Linton , "H . J . Lu" , Yu-cheng Yu , Eric Biederman , linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, libc-alpha@sourceware.org, Dave Martin Subject: Re: [PATCH v10 1/2] elf: Allow architectures to parse properties on the main executable Message-ID: <20220308094521.GA31063@willie-the-truck> References: <20220228130606.1070960-1-broonie@kernel.org> <20220228130606.1070960-2-broonie@kernel.org> <202203071551.DBABE01@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202203071551.DBABE01@keescook> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-10.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2022 09:45:31 -0000 On Mon, Mar 07, 2022 at 04:00:15PM -0800, Kees Cook wrote: > On Mon, Feb 28, 2022 at 01:06:05PM +0000, Mark Brown wrote: > > Currently the ELF code only attempts to parse properties on the image > > that will start execution, either the interpreter or for statically linked > > executables the main executable. The expectation is that any property > > handling for the main executable will be done by the interpreter. This is > > a bit inconsistent since we do map the executable and is causing problems > > for the arm64 BTI support when used in conjunction with systemd's use of > > seccomp to implement MemoryDenyWriteExecute which stops the dynamic linker > > adjusting the permissions of executable segments. > > > > Allow architectures to handle properties for both the dynamic linker and > > main executable, adjusting arch_parse_elf_properties() to have a new > > flag is_interp flag as with arch_elf_adjust_prot() and calling it for > > both the main executable and any intepreter. > > > > The user of this code, arm64, is adapted to ensure that there is no > > functional change. > > > > Signed-off-by: Mark Brown > > Tested-by: Jeremy Linton > > Reviewed-by: Dave Martin > > Reviewed-by: Catalin Marinas > > --- > > arch/arm64/include/asm/elf.h | 3 ++- > > fs/binfmt_elf.c | 32 +++++++++++++++++++++++--------- > > include/linux/elf.h | 4 +++- > > 3 files changed, 28 insertions(+), 11 deletions(-) > > > > diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h > > index 97932fbf973d..5cc002376abe 100644 > > --- a/arch/arm64/include/asm/elf.h > > +++ b/arch/arm64/include/asm/elf.h > > @@ -259,6 +259,7 @@ struct arch_elf_state { > > > > static inline int arch_parse_elf_property(u32 type, const void *data, > > size_t datasz, bool compat, > > + bool has_interp, bool is_interp, > > struct arch_elf_state *arch) > > Adding more and more args to a functions like this gives me the sense > that some kind of argument structure is needed. > > Once I get enough unit testing written in here, I'm hoping to refactor > a bunch of this. To the future! :) > > > @@ -828,6 +832,7 @@ static int load_elf_binary(struct linux_binprm *bprm) > > unsigned long error; > > struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; > > struct elf_phdr *elf_property_phdata = NULL; > > + struct elf_phdr *interp_elf_property_phdata = NULL; > > unsigned long elf_bss, elf_brk; > > int bss_prot = 0; > > int retval, i; > > @@ -865,6 +870,9 @@ static int load_elf_binary(struct linux_binprm *bprm) > > for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) { > > char *elf_interpreter; > > > > + if (interpreter && elf_property_phdata) > > + break; > > + > > This is not okay. This introduces a memory resource leak for malicious > ELF files with multiple INTERP headers. > > > if (elf_ppnt->p_type == PT_GNU_PROPERTY) { > > elf_property_phdata = elf_ppnt; > > continue; > > @@ -919,7 +927,7 @@ static int load_elf_binary(struct linux_binprm *bprm) > > if (retval < 0) > > goto out_free_dentry; > > > > - break; > > + continue; > > Because of this. > > As a fix, I'd expect the PT_INTERP test to be updated: > > if (interpreter || elf_ppnt->p_type != PT_INTERP) > continue; Thanks, Kees. I'll drop this branch from -next until it's been resolved. Will