• Kees Cook's avatar
    binfmt_elf: fix calculations for bss padding · 0036d1f7
    Kees Cook authored
    A double-bug exists in the bss calculation code, where an overflow can
    happen in the "last_bss - elf_bss" calculation, but vm_brk internally
    aligns the argument, underflowing it, wrapping back around safe.  We
    shouldn't depend on these bugs staying in sync, so this cleans up the
    bss padding handling to avoid the overflow.
    
    This moves the bss padzero() before the last_bss > elf_bss case, since
    the zero-filling of the ELF_PAGE should have nothing to do with the
    relationship of last_bss and elf_bss: any trailing portion should be
    zeroed, and a zero size is already handled by padzero().
    
    Then it handles the math on elf_bss vs last_bss correctly.  These need
    to both be ELF_PAGE aligned to get the comparison correct, since that's
    the expected granularity of the mappings.  Since elf_bss already had
    alignment-based padding happen in padzero(), the "start" of the new
    vm_brk() should be moved forward as done in the original code.  However,
    since the "end" of the vm_brk() area will already become PAGE_ALIGNed in
    vm_brk() then last_bss should get aligned here to avoid hiding it as a
    side-effect.
    
    Additionally makes a cosmetic change to the initial last_bss calculation
    so it's easier to read in comparison to the load_addr calculation above
    it (i.e.  the only difference is p_filesz vs p_memsz).
    
    Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org
    
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reported-by: default avatarHector Marco-Gisbert <hecmargi@upv.es>
    Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Chen Gang <gang.chen.5i5j@gmail.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Konstantin Khlebnikov <koct9i@gmail.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    0036d1f7
binfmt_elf.c 60.8 KB