[PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Kees Cook]

The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.) With the advent of PIE (ET_DYN binaries with
an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
portion of the address space is unused.

For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
are loaded below the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
above the mmap region in all cases, and will now additionally avoid
programs falling back to the mmap region by enforcing MAP_FIXED for
program loads (i.e. if it would have collided with the stack, now it
will fail to load instead of falling back to the mmap region).

To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by the
loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE, which
means architectures can now safely lower their values without risk of
loaders colliding with their subsequently loaded programs.

For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.

Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.

Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2:
- bump x86_64 ELF_ET_DYN_BASE to 4GB, riel.
- moar comments
---
 arch/x86/include/asm/elf.h | 13 +++++-----
 fs/binfmt_elf.c            | 59 +++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index e8ab9a46bc68..1c18d83d3f09 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -245,12 +245,13 @@ extern int force_personality32;
 #define CORE_DUMP_USE_REGSET
 #define ELF_EXEC_PAGESIZE	4096
 
-/* This is the location that an ET_DYN program is loaded if exec'ed.  Typical
-   use of this is to invoke "./ld.so someprog" to test out a new version of
-   the loader.  We need to make sure that it is out of the way of the program
-   that it will "exec", and that there is sufficient room for the brk.  */
-
-#define ELF_ET_DYN_BASE		(TASK_SIZE / 3 * 2)
+/*
+ * This is the base location for PIE (ET_DYN with INTERP) loads. On
+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * space open for things that want to use the area for 32-bit pointers.
+ */
+#define ELF_ET_DYN_BASE		(mmap_is_ia32() ? 0x000400000UL : \
+						  0x100000000UL)
 
 /* This yields a mask that user programs can use to figure out what
    instruction set this CPU supports.  This could be done in user space,
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 5075fd5c62c8..7465c3ea5dd5 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -927,17 +927,60 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
 
 		vaddr = elf_ppnt->p_vaddr;
+		/*
+		 * If we are loading ET_EXEC or we have already performed
+		 * the ET_DYN load_addr calculations, proceed normally.
+		 */
 		if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
 			elf_flags |= MAP_FIXED;
 		} else if (loc->elf_ex.e_type == ET_DYN) {
-			/* Try and get dynamic programs out of the way of the
-			 * default mmap base, as well as whatever program they
-			 * might try to exec.  This is because the brk will
-			 * follow the loader, and is not movable.  */
-			load_bias = ELF_ET_DYN_BASE - vaddr;
-			if (current->flags & PF_RANDOMIZE)
-				load_bias += arch_mmap_rnd();
-			load_bias = ELF_PAGESTART(load_bias);
+			/*
+			 * This logic is run once for the first LOAD Program
+			 * Header for ET_DYN binaries to calculate the
+			 * randomization (load_bias) for all the LOAD
+			 * Program Headers, and to calculate the entire
+			 * size of the ELF mapping (total_size). (Note that
+			 * load_addr_set is set to true later once the
+			 * initial mapping is performed.)
+			 *
+			 * There are effectively two types of ET_DYN
+			 * binaries: programs (i.e. PIE: ET_DYN with INTERP)
+			 * and loaders (ET_DYN without INTERP, since they
+			 * _are_ the ELF interpreter). The loaders must
+			 * be loaded away from programs since the program
+			 * may otherwise collide with the loader (especially
+			 * for ET_EXEC which does not have a randomized
+			 * position). For example to handle invocations of
+			 * "./ld.so someprog" to test out a new version of
+			 * the loader, the subsequent program that the
+			 * loader loads must avoid the loader itself, so
+			 * they cannot share the same load range. Sufficient
+			 * room for the brk must be allocated with the
+			 * loader as well, since brk must be available with
+			 * the loader.
+			 *
+			 * Therefore, programs are loaded offset from
+			 * ELF_ET_DYN_BASE and loaders are loaded into the
+			 * independently randomized mmap region (0 load_bias
+			 * without MAP_FIXED).
+			 */
+			if (elf_interpreter) {
+				load_bias = ELF_ET_DYN_BASE;
+				if (current->flags & PF_RANDOMIZE)
+					load_bias += arch_mmap_rnd();
+				elf_flags |= MAP_FIXED;
+			} else
+				load_bias = 0;
+
+			/*
+			 * Since load_bias is used for all subsequent loading
+			 * calculations, we must lower it by the first vaddr
+			 * so that the remaining calculations based on the
+			 * ELF vaddrs will be correctly offset. The result
+			 * is then page aligned.
+			 */
+			load_bias = ELF_PAGESTART(load_bias - vaddr);
+
 			total_size = total_mapping_size(elf_phdata,
 							loc->elf_ex.e_phnum);
 			if (!total_size) {
-- 
2.7.4


-- 
Kees Cook
Pixel Security

[kernel-hardening] [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Kees Cook]

The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.) With the advent of PIE (ET_DYN binaries with
an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
portion of the address space is unused.

For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
are loaded below the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
above the mmap region in all cases, and will now additionally avoid
programs falling back to the mmap region by enforcing MAP_FIXED for
program loads (i.e. if it would have collided with the stack, now it
will fail to load instead of falling back to the mmap region).

To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by the
loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE, which
means architectures can now safely lower their values without risk of
loaders colliding with their subsequently loaded programs.

For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.

Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.

Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2:
- bump x86_64 ELF_ET_DYN_BASE to 4GB, riel.
- moar comments
---
 arch/x86/include/asm/elf.h | 13 +++++-----
 fs/binfmt_elf.c            | 59 +++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index e8ab9a46bc68..1c18d83d3f09 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -245,12 +245,13 @@ extern int force_personality32;
 #define CORE_DUMP_USE_REGSET
 #define ELF_EXEC_PAGESIZE	4096
 
-/* This is the location that an ET_DYN program is loaded if exec'ed.  Typical
-   use of this is to invoke "./ld.so someprog" to test out a new version of
-   the loader.  We need to make sure that it is out of the way of the program
-   that it will "exec", and that there is sufficient room for the brk.  */
-
-#define ELF_ET_DYN_BASE		(TASK_SIZE / 3 * 2)
+/*
+ * This is the base location for PIE (ET_DYN with INTERP) loads. On
+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * space open for things that want to use the area for 32-bit pointers.
+ */
+#define ELF_ET_DYN_BASE		(mmap_is_ia32() ? 0x000400000UL : \
+						  0x100000000UL)
 
 /* This yields a mask that user programs can use to figure out what
    instruction set this CPU supports.  This could be done in user space,
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 5075fd5c62c8..7465c3ea5dd5 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -927,17 +927,60 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
 
 		vaddr = elf_ppnt->p_vaddr;
+		/*
+		 * If we are loading ET_EXEC or we have already performed
+		 * the ET_DYN load_addr calculations, proceed normally.
+		 */
 		if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
 			elf_flags |= MAP_FIXED;
 		} else if (loc->elf_ex.e_type == ET_DYN) {
-			/* Try and get dynamic programs out of the way of the
-			 * default mmap base, as well as whatever program they
-			 * might try to exec.  This is because the brk will
-			 * follow the loader, and is not movable.  */
-			load_bias = ELF_ET_DYN_BASE - vaddr;
-			if (current->flags & PF_RANDOMIZE)
-				load_bias += arch_mmap_rnd();
-			load_bias = ELF_PAGESTART(load_bias);
+			/*
+			 * This logic is run once for the first LOAD Program
+			 * Header for ET_DYN binaries to calculate the
+			 * randomization (load_bias) for all the LOAD
+			 * Program Headers, and to calculate the entire
+			 * size of the ELF mapping (total_size). (Note that
+			 * load_addr_set is set to true later once the
+			 * initial mapping is performed.)
+			 *
+			 * There are effectively two types of ET_DYN
+			 * binaries: programs (i.e. PIE: ET_DYN with INTERP)
+			 * and loaders (ET_DYN without INTERP, since they
+			 * _are_ the ELF interpreter). The loaders must
+			 * be loaded away from programs since the program
+			 * may otherwise collide with the loader (especially
+			 * for ET_EXEC which does not have a randomized
+			 * position). For example to handle invocations of
+			 * "./ld.so someprog" to test out a new version of
+			 * the loader, the subsequent program that the
+			 * loader loads must avoid the loader itself, so
+			 * they cannot share the same load range. Sufficient
+			 * room for the brk must be allocated with the
+			 * loader as well, since brk must be available with
+			 * the loader.
+			 *
+			 * Therefore, programs are loaded offset from
+			 * ELF_ET_DYN_BASE and loaders are loaded into the
+			 * independently randomized mmap region (0 load_bias
+			 * without MAP_FIXED).
+			 */
+			if (elf_interpreter) {
+				load_bias = ELF_ET_DYN_BASE;
+				if (current->flags & PF_RANDOMIZE)
+					load_bias += arch_mmap_rnd();
+				elf_flags |= MAP_FIXED;
+			} else
+				load_bias = 0;
+
+			/*
+			 * Since load_bias is used for all subsequent loading
+			 * calculations, we must lower it by the first vaddr
+			 * so that the remaining calculations based on the
+			 * ELF vaddrs will be correctly offset. The result
+			 * is then page aligned.
+			 */
+			load_bias = ELF_PAGESTART(load_bias - vaddr);
+
 			total_size = total_mapping_size(elf_phdata,
 							loc->elf_ex.e_phnum);
 			if (!total_size) {
-- 
2.7.4


-- 
Kees Cook
Pixel Security

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Rik van Riel]

On Wed, 2017-06-21 at 10:32 -0700, Kees Cook wrote:

> To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
> are loaded into the mmap region, leaving space available for either
> an
> ET_EXEC binary with a fixed location or PIE being loaded into mmap by
> the
> loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
> which
> means architectures can now safely lower their values without risk of
> loaders colliding with their subsequently loaded programs.
> 
> For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to
> use
> the entire 32-bit address space for 32-bit pointers.
> 
> Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration
> and
> suggestions on how to implement this solution.
> 
> Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Rik van Riel <riel@redhat.com>

[kernel-hardening] Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Rik van Riel]

On Wed, 2017-06-21 at 10:32 -0700, Kees Cook wrote:

> To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
> are loaded into the mmap region, leaving space available for either
> an
> ET_EXEC binary with a fixed location or PIE being loaded into mmap by
> the
> loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
> which
> means architectures can now safely lower their values without risk of
> loaders colliding with their subsequently loaded programs.
> 
> For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to
> use
> the entire 32-bit address space for 32-bit pointers.
> 
> Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration
> and
> suggestions on how to implement this solution.
> 
> Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Rik van Riel <riel@redhat.com>

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Michal Hocko]

On Wed 21-06-17 10:32:01, Kees Cook wrote:
> The ELF_ET_DYN_BASE position was originally intended to keep loaders
> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
> /bin/cat" might cause the subsequent load of /bin/cat into where the
> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
> portion of the address space is unused.
> 
> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> are loaded below the mmap region. This means they can be made to collide
> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
> above the mmap region in all cases, and will now additionally avoid
> programs falling back to the mmap region by enforcing MAP_FIXED for
> program loads (i.e. if it would have collided with the stack, now it
> will fail to load instead of falling back to the mmap region).

I do not understand this part. MAP_FIXED will simply unmap whatever
was under the requested range, how it could help failing anything? So
what would happen if something was mapped in that region, or is this
impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
protection.
-- 
Michal Hocko
SUSE Labs

[kernel-hardening] Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Michal Hocko]

On Wed 21-06-17 10:32:01, Kees Cook wrote:
> The ELF_ET_DYN_BASE position was originally intended to keep loaders
> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
> /bin/cat" might cause the subsequent load of /bin/cat into where the
> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
> portion of the address space is unused.
> 
> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> are loaded below the mmap region. This means they can be made to collide
> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
> above the mmap region in all cases, and will now additionally avoid
> programs falling back to the mmap region by enforcing MAP_FIXED for
> program loads (i.e. if it would have collided with the stack, now it
> will fail to load instead of falling back to the mmap region).

I do not understand this part. MAP_FIXED will simply unmap whatever
was under the requested range, how it could help failing anything? So
what would happen if something was mapped in that region, or is this
impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
protection.
-- 
Michal Hocko
SUSE Labs

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Daniel Micay]

On Tue, 2017-06-27 at 16:49 +0200, Michal Hocko wrote:
> On Wed 21-06-17 10:32:01, Kees Cook wrote:
> > The ELF_ET_DYN_BASE position was originally intended to keep loaders
> > away from ET_EXEC binaries. (For example, running "/lib/ld-
> > linux.so.2
> > /bin/cat" might cause the subsequent load of /bin/cat into where the
> > loader had been loaded.) With the advent of PIE (ET_DYN binaries
> > with
> > an INTERP Program Header), ELF_ET_DYN_BASE continued to be used
> > since
> > the kernel was only looking at ET_DYN. However, since
> > ELF_ET_DYN_BASE
> > is traditionally set at the top 1/3rd of the TASK_SIZE, a
> > substantial
> > portion of the address space is unused.
> > 
> > For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> > are loaded below the mmap region. This means they can be made to
> > collide
> > (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
> > pathological
> > stack regions. Lowering ELF_ET_DYN_BASE solves both by moving
> > programs
> > above the mmap region in all cases, and will now additionally avoid
> > programs falling back to the mmap region by enforcing MAP_FIXED for
> > program loads (i.e. if it would have collided with the stack, now it
> > will fail to load instead of falling back to the mmap region).
> 
> I do not understand this part. MAP_FIXED will simply unmap whatever
> was under the requested range, how it could help failing anything? So
> what would happen if something was mapped in that region, or is this
> impossible? Moreover MAP_FIXED close to stack will inhibit the stack
> gap
> protection.

I don't think there's a reason to use MAP_FIXED. PaX likely ignores the
address hint with RANDMMAP in that code, which would explain it there.

[kernel-hardening] Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Daniel Micay]

On Tue, 2017-06-27 at 16:49 +0200, Michal Hocko wrote:
> On Wed 21-06-17 10:32:01, Kees Cook wrote:
> > The ELF_ET_DYN_BASE position was originally intended to keep loaders
> > away from ET_EXEC binaries. (For example, running "/lib/ld-
> > linux.so.2
> > /bin/cat" might cause the subsequent load of /bin/cat into where the
> > loader had been loaded.) With the advent of PIE (ET_DYN binaries
> > with
> > an INTERP Program Header), ELF_ET_DYN_BASE continued to be used
> > since
> > the kernel was only looking at ET_DYN. However, since
> > ELF_ET_DYN_BASE
> > is traditionally set at the top 1/3rd of the TASK_SIZE, a
> > substantial
> > portion of the address space is unused.
> > 
> > For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> > are loaded below the mmap region. This means they can be made to
> > collide
> > (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
> > pathological
> > stack regions. Lowering ELF_ET_DYN_BASE solves both by moving
> > programs
> > above the mmap region in all cases, and will now additionally avoid
> > programs falling back to the mmap region by enforcing MAP_FIXED for
> > program loads (i.e. if it would have collided with the stack, now it
> > will fail to load instead of falling back to the mmap region).
> 
> I do not understand this part. MAP_FIXED will simply unmap whatever
> was under the requested range, how it could help failing anything? So
> what would happen if something was mapped in that region, or is this
> impossible? Moreover MAP_FIXED close to stack will inhibit the stack
> gap
> protection.

I don't think there's a reason to use MAP_FIXED. PaX likely ignores the
address hint with RANDMMAP in that code, which would explain it there.

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Kees Cook]

On Tue, Jun 27, 2017 at 7:49 AM, Michal Hocko <mhocko@kernel.org> wrote:
> On Wed 21-06-17 10:32:01, Kees Cook wrote:
>> The ELF_ET_DYN_BASE position was originally intended to keep loaders
>> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
>> /bin/cat" might cause the subsequent load of /bin/cat into where the
>> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
>> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
>> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
>> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
>> portion of the address space is unused.
>>
>> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
>> are loaded below the mmap region. This means they can be made to collide
>> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
>> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
>> above the mmap region in all cases, and will now additionally avoid
>> programs falling back to the mmap region by enforcing MAP_FIXED for
>> program loads (i.e. if it would have collided with the stack, now it
>> will fail to load instead of falling back to the mmap region).
>
> I do not understand this part. MAP_FIXED will simply unmap whatever
> was under the requested range, how it could help failing anything? So
> what would happen if something was mapped in that region, or is this
> impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
> protection.

Hmm, well, that's my misunderstanding. Regardless, it should still use
MAP_FIXED otherwise we end up with potentially unpredictable results.
(Note that MAP_FIXED is already used all all remaining allocations, it
was just missing on the first one.)

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Kees Cook]

On Tue, Jun 27, 2017 at 7:49 AM, Michal Hocko <mhocko@kernel.org> wrote:
> On Wed 21-06-17 10:32:01, Kees Cook wrote:
>> The ELF_ET_DYN_BASE position was originally intended to keep loaders
>> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
>> /bin/cat" might cause the subsequent load of /bin/cat into where the
>> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
>> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
>> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
>> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
>> portion of the address space is unused.
>>
>> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
>> are loaded below the mmap region. This means they can be made to collide
>> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
>> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
>> above the mmap region in all cases, and will now additionally avoid
>> programs falling back to the mmap region by enforcing MAP_FIXED for
>> program loads (i.e. if it would have collided with the stack, now it
>> will fail to load instead of falling back to the mmap region).
>
> I do not understand this part. MAP_FIXED will simply unmap whatever
> was under the requested range, how it could help failing anything? So
> what would happen if something was mapped in that region, or is this
> impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
> protection.

Hmm, well, that's my misunderstanding. Regardless, it should still use
MAP_FIXED otherwise we end up with potentially unpredictable results.
(Note that MAP_FIXED is already used all all remaining allocations, it
was just missing on the first one.)

-Kees

-- 
Kees Cook
Pixel Security

[kernel-hardening] Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Kees Cook]

On Tue, Jun 27, 2017 at 7:49 AM, Michal Hocko <mhocko@kernel.org> wrote:
> On Wed 21-06-17 10:32:01, Kees Cook wrote:
>> The ELF_ET_DYN_BASE position was originally intended to keep loaders
>> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
>> /bin/cat" might cause the subsequent load of /bin/cat into where the
>> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
>> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
>> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
>> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
>> portion of the address space is unused.
>>
>> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
>> are loaded below the mmap region. This means they can be made to collide
>> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
>> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
>> above the mmap region in all cases, and will now additionally avoid
>> programs falling back to the mmap region by enforcing MAP_FIXED for
>> program loads (i.e. if it would have collided with the stack, now it
>> will fail to load instead of falling back to the mmap region).
>
> I do not understand this part. MAP_FIXED will simply unmap whatever
> was under the requested range, how it could help failing anything? So
> what would happen if something was mapped in that region, or is this
> impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
> protection.

Hmm, well, that's my misunderstanding. Regardless, it should still use
MAP_FIXED otherwise we end up with potentially unpredictable results.
(Note that MAP_FIXED is already used all all remaining allocations, it
was just missing on the first one.)

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Michal Hocko]

[Sorry for a late reply]

On Tue 27-06-17 13:08:39, Kees Cook wrote:
> On Tue, Jun 27, 2017 at 7:49 AM, Michal Hocko <mhocko@kernel.org> wrote:
> > On Wed 21-06-17 10:32:01, Kees Cook wrote:
> >> The ELF_ET_DYN_BASE position was originally intended to keep loaders
> >> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
> >> /bin/cat" might cause the subsequent load of /bin/cat into where the
> >> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
> >> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
> >> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
> >> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
> >> portion of the address space is unused.
> >>
> >> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> >> are loaded below the mmap region. This means they can be made to collide
> >> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
> >> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
> >> above the mmap region in all cases, and will now additionally avoid
> >> programs falling back to the mmap region by enforcing MAP_FIXED for
> >> program loads (i.e. if it would have collided with the stack, now it
> >> will fail to load instead of falling back to the mmap region).
> >
> > I do not understand this part. MAP_FIXED will simply unmap whatever
> > was under the requested range, how it could help failing anything? So
> > what would happen if something was mapped in that region, or is this
> > impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
> > protection.
> 
> Hmm, well, that's my misunderstanding. Regardless, it should still use
> MAP_FIXED otherwise we end up with potentially unpredictable results.

Why that matters? The base is random, right? This is quite early in
the initialization so the address space should be pretty empty at this
stage.

> (Note that MAP_FIXED is already used all all remaining allocations, it
> was just missing on the first one.)

OK, so what happens when there was an existing mapping at the requested
address and we just punched it off? Will things work properly?
I can see some MAP_FIXED users in load_elf_binary but the function is
simply unparsable for me, unfortunatelly.
-- 
Michal Hocko
SUSE Labs

Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Michal Hocko]

[Sorry for a late reply]

On Tue 27-06-17 13:08:39, Kees Cook wrote:
> On Tue, Jun 27, 2017 at 7:49 AM, Michal Hocko <mhocko@kernel.org> wrote:
> > On Wed 21-06-17 10:32:01, Kees Cook wrote:
> >> The ELF_ET_DYN_BASE position was originally intended to keep loaders
> >> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
> >> /bin/cat" might cause the subsequent load of /bin/cat into where the
> >> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
> >> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
> >> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
> >> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
> >> portion of the address space is unused.
> >>
> >> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> >> are loaded below the mmap region. This means they can be made to collide
> >> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
> >> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
> >> above the mmap region in all cases, and will now additionally avoid
> >> programs falling back to the mmap region by enforcing MAP_FIXED for
> >> program loads (i.e. if it would have collided with the stack, now it
> >> will fail to load instead of falling back to the mmap region).
> >
> > I do not understand this part. MAP_FIXED will simply unmap whatever
> > was under the requested range, how it could help failing anything? So
> > what would happen if something was mapped in that region, or is this
> > impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
> > protection.
> 
> Hmm, well, that's my misunderstanding. Regardless, it should still use
> MAP_FIXED otherwise we end up with potentially unpredictable results.

Why that matters? The base is random, right? This is quite early in
the initialization so the address space should be pretty empty at this
stage.

> (Note that MAP_FIXED is already used all all remaining allocations, it
> was just missing on the first one.)

OK, so what happens when there was an existing mapping at the requested
address and we just punched it off? Will things work properly?
I can see some MAP_FIXED users in load_elf_binary but the function is
simply unparsable for me, unfortunatelly.
-- 
Michal Hocko
SUSE Labs

[kernel-hardening] Re: [PATCH v2] binfmt_elf: Use ELF_ET_DYN_BASE only for PIE

[Michal Hocko]

[Sorry for a late reply]

On Tue 27-06-17 13:08:39, Kees Cook wrote:
> On Tue, Jun 27, 2017 at 7:49 AM, Michal Hocko <mhocko@kernel.org> wrote:
> > On Wed 21-06-17 10:32:01, Kees Cook wrote:
> >> The ELF_ET_DYN_BASE position was originally intended to keep loaders
> >> away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
> >> /bin/cat" might cause the subsequent load of /bin/cat into where the
> >> loader had been loaded.) With the advent of PIE (ET_DYN binaries with
> >> an INTERP Program Header), ELF_ET_DYN_BASE continued to be used since
> >> the kernel was only looking at ET_DYN. However, since ELF_ET_DYN_BASE
> >> is traditionally set at the top 1/3rd of the TASK_SIZE, a substantial
> >> portion of the address space is unused.
> >>
> >> For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs
> >> are loaded below the mmap region. This means they can be made to collide
> >> (CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with pathological
> >> stack regions. Lowering ELF_ET_DYN_BASE solves both by moving programs
> >> above the mmap region in all cases, and will now additionally avoid
> >> programs falling back to the mmap region by enforcing MAP_FIXED for
> >> program loads (i.e. if it would have collided with the stack, now it
> >> will fail to load instead of falling back to the mmap region).
> >
> > I do not understand this part. MAP_FIXED will simply unmap whatever
> > was under the requested range, how it could help failing anything? So
> > what would happen if something was mapped in that region, or is this
> > impossible? Moreover MAP_FIXED close to stack will inhibit the stack gap
> > protection.
> 
> Hmm, well, that's my misunderstanding. Regardless, it should still use
> MAP_FIXED otherwise we end up with potentially unpredictable results.

Why that matters? The base is random, right? This is quite early in
the initialization so the address space should be pretty empty at this
stage.

> (Note that MAP_FIXED is already used all all remaining allocations, it
> was just missing on the first one.)

OK, so what happens when there was an existing mapping at the requested
address and we just punched it off? Will things work properly?
I can see some MAP_FIXED users in load_elf_binary but the function is
simply unparsable for me, unfortunatelly.
-- 
Michal Hocko
SUSE Labs