elf: Check invalid hole in PT_LOAD segments [BZ #28838] (original) (raw)
| Message ID | 20220131152452.1061323-1-hjl.tools@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | Return-Path: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id D6A47385E018 for patchwork@sourceware.org; Mon, 31 Jan 2022 15:25:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D6A47385E018 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1643642719; bh=VPHvCIbH38wTwX6FH9nOH1a35ZxkwYw68dJtEq+FnMk=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=vDMbkbQYv78EnTRofDkhArw22JqMc4wD4wqzA7hvW99R+Yq/HE5C04GYznsByI1dw 2EOpc6ToZkAMjzzdmM8wUk72l9kcksNWm2KhmjX/hBmH6Vfzn8+W9UPsZjzWj3p+Au YTrYFniNP6IMECGesWblrn/R+h8Fnu6hgKebdUOM= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by sourceware.org (Postfix) with ESMTPS id 114A0385DC29 for libc-alpha@sourceware.org; Mon, 31 Jan 2022 15:24:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 114A0385DC29 Received: by mail-pj1-x1031.google.com with SMTP id oa14-20020a17090b1bce00b001b61aed4a03so12816289pjb.5 for libc-alpha@sourceware.org; Mon, 31 Jan 2022 07:24:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject📅message-id:mime-version :content-transfer-encoding; bh=VPHvCIbH38wTwX6FH9nOH1a35ZxkwYw68dJtEq+FnMk=; b=0Q3UT3FBSHG2mYL/5eF5GhKecRskhknZB0Fr+SA87KHyaRVok85mzlgkQan/jDUzdP FT2qJYOM6rXBVIk7SNgAbLNKyaFpZQWudga8ggyVB6BFecprujkPY/NoJYC/3hCiLPnO CHgSRvvzm4rlAl0FCt+wHyGYmdb+iyvFuLL58EeDfkMTVp6FCSGjiCoffM6i7KOHWUDA gvnCOW6TyUmUgGcu5FLQJFHOhS5mFgsZ3yfhlqVQDet+NrqqRtEd6KDfN9U81qisddyH hp1xI1dQLTy9xoYAQTouZQR7LuvmQEvCoIIv2Apg6qI16rXpaKtm7btnGvcBOfW8UGQT SyCg== X-Gm-Message-State: AOAM531ajTKW5ZkTGQtPMCngmDi8rkH0JFX1erl7TynRZgy6j7hIUAzO tPWSL+lCN1CfuDKDB56pHlE= X-Google-Smtp-Source: ABdhPJxBufSCS1/5JILAv7enT0habfDcllTU7WmYyKFPUAWQoSyl8Yc+9RT7BgzvD1yice57Jza10A== X-Received: by 2002:a17:90a:648f:: with SMTP id h15mr23985330pjj.122.1643642694004; Mon, 31 Jan 2022 07:24:54 -0800 (PST) Received: from gnu-tgl-3.localdomain ([172.58.35.133]) by smtp.gmail.com with ESMTPSA id o9sm7878777pfw.86.2022.01.31.07.24.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Jan 2022 07:24:53 -0800 (PST) Received: from gnu-tgl-3.. (localhost [IPv6:::1]) by gnu-tgl-3.localdomain (Postfix) with ESMTP id 97AD7C043B; Mon, 31 Jan 2022 07:24:52 -0800 (PST) To: libc-alpha@sourceware.org Subject: [PATCH] elf: Check invalid hole in PT_LOAD segments [BZ #28838] Date: Mon, 31 Jan 2022 07:24:52 -0800 Message-Id: 20220131152452.1061323-1-hjl.tools@gmail.com X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3028.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: https://sourceware.org/mailman/options/libc-alpha, mailto:libc-alpha-request@sourceware.org?subject=unsubscribe List-Archive: https://sourceware.org/pipermail/libc-alpha/ List-Post: mailto:libc-alpha@sourceware.org List-Help: mailto:libc-alpha-request@sourceware.org?subject=help List-Subscribe: https://sourceware.org/mailman/listinfo/libc-alpha, mailto:libc-alpha-request@sourceware.org?subject=subscribe From: "H.J. Lu via Libc-alpha" libc-alpha@sourceware.org Reply-To: "H.J. Lu" hjl.tools@gmail.com Cc: Florian Weimer fweimer@redhat.com Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" libc-alpha-bounces+patchwork=sourceware.org@sourceware.org |
| Series | elf: Check invalid hole in PT_LOAD segments [BZ #28838] | elf: Check invalid hole in PT_LOAD segments [BZ #28838] |
Checks
| Context | Check | Description |
|---|---|---|
| dj/TryBot-apply_patch | success | Patch applied to master at the time it was sent |
| dj/TryBot-32bit | success | Build for i686 |
Commit Message
H.J. Lu Jan. 31, 2022, 3:24 p.m. UTC
commit 163f625cf9becbb82dfec63a29e566324129c0cd Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 12:35:47 2021 -0800
elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]removed the p_align check against the page size. It caused the loader crash in shared objects with the invalid p_align. Update _dl_map_segments to detect invalid holes. This fixes BZ #28838.
elf/dl-map-segments.h | 3 +++ 1 file changed, 3 insertions(+)
Comments
- H. J. Lu:
commit 163f625cf9becbb82dfec63a29e566324129c0cd Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 12:35:47 2021 -0800
elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]removed the p_align check against the page size. It caused the loader crash in shared objects with the invalid p_align. Update _dl_map_segments to detect invalid holes. This fixes BZ #28838.
Commit message should reference commit ID and mention the failing test/module name.
elf/dl-map-segments.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h index 172692b120..fd24cf5d01 100644 --- a/elf/dl-map-segments.h +++ b/elf/dl-map-segments.h @@ -113,6 +113,9 @@ _dl_map_segments (struct link_map *l, int fd, unallocated. Then jump into the normal segment-mapping loop to handle the portion of the segment past the end of the file mapping. */ + if (_glibc_unlikely (loadcmds[nloadcmds - 1].mapstart < + c->mapend)) + return N("ELF load command address/offset not page-aligned"); if (__glibc_unlikely (__mprotect ((caddr_t) (l->l_addr + c->mapend), loadcmds[nloadcmds - 1].mapstart - c->mapend,
This seems to be fairly risky because I don't think that so far, we enforce increasing LOAD segment addresses (although required by te EHF specification).
Given
LDFLAGS-tst-p_alignmod3.so += -Wl,-z,max-page-size=0x100,-z,common-page-size=0x100
and RELRO construction for that
.../elf/tst-p_alignmod3.so: cannot change memory protections
seems to be a valid failure string for this test. However, worst case, there could be a different kind of failure, if the RELRO mprotect start is page-aligned by chance, and the kernel rounds up the end address to a page boundary. The RELRO protection then covers more than what the link editor expected, and this can cause crashes later on. But this isn't something we can detect easily, I think.
Thanks, Florian
On Mon, Jan 31, 2022 at 7:40 AM Florian Weimer fweimer@redhat.com wrote:
- H. J. Lu:
commit 163f625cf9becbb82dfec63a29e566324129c0cd Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 12:35:47 2021 -0800
elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]removed the p_align check against the page size. It caused the loader crash in shared objects with the invalid p_align. Update _dl_map_segments to detect invalid holes. This fixes BZ #28838.
Commit message should reference commit ID and mention the failing test/module name.
elf/dl-map-segments.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h index 172692b120..fd24cf5d01 100644 --- a/elf/dl-map-segments.h +++ b/elf/dl-map-segments.h @@ -113,6 +113,9 @@ _dl_map_segments (struct link_map *l, int fd, unallocated. Then jump into the normal segment-mapping loop to handle the portion of the segment past the end of the file mapping. */
if (__glibc_unlikely (loadcmds[nloadcmds - 1].mapstart <c->mapend))return N_("ELF load command address/offset not page-aligned"); if (__glibc_unlikely (__mprotect ((caddr_t) (l->l_addr + c->mapend), loadcmds[nloadcmds - 1].mapstart - c->mapend, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^If loadcmds[nloadcmds - 1].mapstart < c->mapend, the length argument passed to __mprotect is a huge number and invalid.
This seems to be fairly risky because I don't think that so far, we enforce increasing LOAD segment addresses (although required by te EHF specification).
Given
LDFLAGS-tst-p_alignmod3.so += -Wl,-z,max-page-size=0x100,-z,common-page-size=0x100
and RELRO construction for that
.../elf/tst-p_alignmod3.so: cannot change memory protections
seems to be a valid failure string for this test. However, worst case, there could be a different kind of failure, if the RELRO mprotect start is page-aligned by chance, and the kernel rounds up the end address to a page boundary. The RELRO protection then covers more than what the link editor expected, and this can cause crashes later on. But this isn't something we can detect easily, I think.
Thanks, Florian
On Mon, Jan 31, 2022 at 7:40 AM Florian Weimer fweimer@redhat.com wrote:
- H. J. Lu:
commit 163f625cf9becbb82dfec63a29e566324129c0cd Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 12:35:47 2021 -0800
elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]removed the p_align check against the page size. It caused the loader crash in shared objects with the invalid p_align. Update _dl_map_segments to detect invalid holes. This fixes BZ #28838.
Commit message should reference commit ID and mention the failing test/module name.
How about this?
commit 163f625cf9becbb82dfec63a29e566324129c0cd Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 12:35:47 2021 -0800
elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]removed the p_align check against the page size. It caused the loader crash on elf/tst-p_align3 when loading elf/tst-p_alignmod3.so, which has the invalid p_align in PT_LOAD segments, added by
commit d8d94863ef125a392b929732b37e07dc927fbcd1 Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 13:42:28 2021 -0800
The loader crash is random, depending on architecture and toolchain. Update _dl_map_segments to detect invalid holes. This fixes BZ #28838.
elf/dl-map-segments.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h index 172692b120..fd24cf5d01 100644 --- a/elf/dl-map-segments.h +++ b/elf/dl-map-segments.h @@ -113,6 +113,9 @@ _dl_map_segments (struct link_map *l, int fd, unallocated. Then jump into the normal segment-mapping loop to handle the portion of the segment past the end of the file mapping. */
if (__glibc_unlikely (loadcmds[nloadcmds - 1].mapstart <c->mapend))return N_("ELF load command address/offset not page-aligned"); if (__glibc_unlikely (__mprotect ((caddr_t) (l->l_addr + c->mapend), loadcmds[nloadcmds - 1].mapstart - c->mapend,This seems to be fairly risky because I don't think that so far, we enforce increasing LOAD segment addresses (although required by te EHF specification).
Given
LDFLAGS-tst-p_alignmod3.so += -Wl,-z,max-page-size=0x100,-z,common-page-size=0x100
and RELRO construction for that
.../elf/tst-p_alignmod3.so: cannot change memory protections
seems to be a valid failure string for this test. However, worst case, there could be a different kind of failure, if the RELRO mprotect start is page-aligned by chance, and the kernel rounds up the end address to a page boundary. The RELRO protection then covers more than what the link editor expected, and this can cause crashes later on. But this isn't something we can detect easily, I think.
Thanks, Florian
On Tue, 1 Feb 2022 at 04:24, H.J. Lu hjl.tools@gmail.com wrote:
commit 163f625cf9becbb82dfec63a29e566324129c0cd Author: H.J. Lu hjl.tools@gmail.com Date: Tue Dec 21 12:35:47 2021 -0800
elf: Remove excessive p_align check on PT_LOAD segments [BZ #28688]removed the p_align check against the page size. It caused the loader crash in shared objects with the invalid p_align. Update _dl_map_segments to detect invalid holes. This fixes BZ #28838.
I am not competent to have an opinion on the correctness of the change, but the test passes on Launchapd's i386 and amd64 builders with it.
Cheers, mwh
elf/dl-map-segments.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h index 172692b120..fd24cf5d01 100644 --- a/elf/dl-map-segments.h +++ b/elf/dl-map-segments.h @@ -113,6 +113,9 @@ _dl_map_segments (struct link_map *l, int fd, unallocated. Then jump into the normal segment-mapping loop to handle the portion of the segment past the end of the file mapping. */ + if (_glibc_unlikely (loadcmds[nloadcmds - 1].mapstart < + c->mapend)) + return N("ELF load command address/offset not page-aligned"); if (__glibc_unlikely (__mprotect ((caddr_t) (l->l_addr + c->mapend), loadcmds[nloadcmds - 1].mapstart - c->mapend,
2.34.1
Patch
@@ -113,6 +113,9 @@ _dl_map_segments (struct link_map *l, int fd, unallocated. Then jump into the normal segment-mapping loop to handle the portion of the segment past the end of the file mapping. */ + if (_glibc_unlikely (loadcmds[nloadcmds - 1].mapstart < + c->mapend)) + return N("ELF load command address/offset not page-aligned"); if (__glibc_unlikely (__mprotect ((caddr_t) (l->l_addr + c->mapend), loadcmds[nloadcmds - 1].mapstart - c->mapend,