[PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
@ 2021-09-28 12:56 Chen Jingwen
  2021-09-28 22:21 ` Andrew Morton
  2021-10-04 20:00 ` Kees Cook
  0 siblings, 2 replies; 6+ messages in thread
From: Chen Jingwen @ 2021-09-28 12:56 UTC (permalink / raw)
  To: Chen Jingwen, linux-fsdevel, linux-kernel
  Cc: Alexander Viro, Michal Hocko, Andrei Vagin, Khalid Aziz,
	Michael Ellerman, Andrew Morton

In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings")
we still leave MAP_FIXED_NOREPLACE in place for load_elf_interp.
Unfortunately, this will cause kernel to fail to start with

[    2.384321] 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
[    2.386240] Failed to execute /init (error -17)

The reason is that the elf interpreter (ld.so) has overlapping segments.

readelf -l ld-2.31.so
Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x000000000002c94c 0x000000000002c94c  R E    0x10000
  LOAD           0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
                 0x00000000000021e8 0x0000000000002320  RW     0x10000
  LOAD           0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
                 0x00000000000011ac 0x0000000000001328  RW     0x10000

The reason for this problem is the same as described in
commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
Not only executable binaries, elf interpreters (e.g. ld.so) can have
overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
back to MAP_FIXED in load_elf_interp.

Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
Cc: <stable@vger.kernel.org> # v4.19
Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
---
 fs/binfmt_elf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 69d900a8473d..a813b70f594e 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -630,7 +630,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
 
 			vaddr = eppnt->p_vaddr;
 			if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
-				elf_type |= MAP_FIXED_NOREPLACE;
+				elf_type |= MAP_FIXED;
 			else if (no_base && interp_elf_ex->e_type == ET_DYN)
 				load_addr = -vaddr;
 
-- 
2.12.3


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
  2021-09-28 12:56 [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings Chen Jingwen
@ 2021-09-28 22:21 ` Andrew Morton
  2021-10-04 20:00 ` Kees Cook
  1 sibling, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2021-09-28 22:21 UTC (permalink / raw)
  To: Chen Jingwen
  Cc: linux-fsdevel, linux-kernel, Alexander Viro, Michal Hocko,
	Andrei Vagin, Khalid Aziz, Michael Ellerman, Linus Torvalds

(cc Linus)

On Tue, 28 Sep 2021 20:56:57 +0800 Chen Jingwen <chenjingwen6@huawei.com> wrote:

> In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings")
> we still leave MAP_FIXED_NOREPLACE in place for load_elf_interp.
> Unfortunately, this will cause kernel to fail to start with
> 
> [    2.384321] 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
> [    2.386240] Failed to execute /init (error -17)
> 
> The reason is that the elf interpreter (ld.so) has overlapping segments.
> 
> readelf -l ld-2.31.so
> Program Headers:
>   Type           Offset             VirtAddr           PhysAddr
>                  FileSiz            MemSiz              Flags  Align
>   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
>                  0x000000000002c94c 0x000000000002c94c  R E    0x10000
>   LOAD           0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
>                  0x00000000000021e8 0x0000000000002320  RW     0x10000
>   LOAD           0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
>                  0x00000000000011ac 0x0000000000001328  RW     0x10000
> 
> The reason for this problem is the same as described in
> commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
> Not only executable binaries, elf interpreters (e.g. ld.so) can have
> overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
> back to MAP_FIXED in load_elf_interp.
> 
> Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
> Cc: <stable@vger.kernel.org> # v4.19
> Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
> ---
>  fs/binfmt_elf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 69d900a8473d..a813b70f594e 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -630,7 +630,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
>  
>  			vaddr = eppnt->p_vaddr;
>  			if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
> -				elf_type |= MAP_FIXED_NOREPLACE;
> +				elf_type |= MAP_FIXED;
>  			else if (no_base && interp_elf_ex->e_type == ET_DYN)
>  				load_addr = -vaddr;
>  
> -- 
> 2.12.3

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
  2021-09-28 12:56 [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings Chen Jingwen
  2021-09-28 22:21 ` Andrew Morton
@ 2021-10-04 20:00 ` Kees Cook
  2021-10-05 23:12   ` Andrew Morton
  2021-10-18  6:51   ` ChenJingwen
  1 sibling, 2 replies; 6+ messages in thread
From: Kees Cook @ 2021-10-04 20:00 UTC (permalink / raw)
  To: Chen Jingwen
  Cc: linux-fsdevel, linux-kernel, Alexander Viro, Michal Hocko,
	Andrei Vagin, Khalid Aziz, Michael Ellerman, Andrew Morton,
	Linus Torvalds

On Tue, Sep 28, 2021 at 08:56:57PM +0800, Chen Jingwen wrote:
> In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings")
> we still leave MAP_FIXED_NOREPLACE in place for load_elf_interp.
> Unfortunately, this will cause kernel to fail to start with
> 
> [    2.384321] 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
> [    2.386240] Failed to execute /init (error -17)
> 

I guess you mean "init" fails to start (but yes, same result).

> The reason is that the elf interpreter (ld.so) has overlapping segments.

Ewww. What toolchain generated this (and what caused it to just start
happening)? (This was added in v4.17; it's been 3 years.)

> 
> readelf -l ld-2.31.so
> Program Headers:
>   Type           Offset             VirtAddr           PhysAddr
>                  FileSiz            MemSiz              Flags  Align
>   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
>                  0x000000000002c94c 0x000000000002c94c  R E    0x10000
>   LOAD           0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
>                  0x00000000000021e8 0x0000000000002320  RW     0x10000
>   LOAD           0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
>                  0x00000000000011ac 0x0000000000001328  RW     0x10000
> 
> The reason for this problem is the same as described in
> commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
> Not only executable binaries, elf interpreters (e.g. ld.so) can have
> overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
> back to MAP_FIXED in load_elf_interp.

We could also just expand the logic that fixed[1] this for ELF, yes?

Andrew, are you able to pick up [1], BTW? It seems to have fallen
through the cracks.

[1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u

> 
> Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
> Cc: <stable@vger.kernel.org> # v4.19
> Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
> ---
>  fs/binfmt_elf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 69d900a8473d..a813b70f594e 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -630,7 +630,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
>  
>  			vaddr = eppnt->p_vaddr;
>  			if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
> -				elf_type |= MAP_FIXED_NOREPLACE;
> +				elf_type |= MAP_FIXED;
>  			else if (no_base && interp_elf_ex->e_type == ET_DYN)
>  				load_addr = -vaddr;


-- 
Kees Cook

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
  2021-10-04 20:00 ` Kees Cook
@ 2021-10-05 23:12   ` Andrew Morton
  2021-10-05 23:27     ` Kees Cook
  2021-10-18  6:51   ` ChenJingwen
  1 sibling, 1 reply; 6+ messages in thread
From: Andrew Morton @ 2021-10-05 23:12 UTC (permalink / raw)
  To: Kees Cook
  Cc: Chen Jingwen, linux-fsdevel, linux-kernel, Alexander Viro,
	Michal Hocko, Andrei Vagin, Khalid Aziz, Michael Ellerman,
	Linus Torvalds

On Mon, 4 Oct 2021 13:00:07 -0700 Kees Cook <keescook@chromium.org> wrote:

> Andrew, are you able to pick up [1], BTW? It seems to have fallen
> through the cracks.
> 
> [1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u

I added that to -mm on 19 September.:
https://ozlabs.org/~akpm/mmotm/broken-out/binfmt_elf-reintroduce-using-map_fixed_noreplace.patch

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
  2021-10-05 23:12   ` Andrew Morton
@ 2021-10-05 23:27     ` Kees Cook
  0 siblings, 0 replies; 6+ messages in thread
From: Kees Cook @ 2021-10-05 23:27 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Chen Jingwen, linux-fsdevel, linux-kernel, Alexander Viro,
	Michal Hocko, Andrei Vagin, Khalid Aziz, Michael Ellerman,
	Linus Torvalds

On Tue, Oct 05, 2021 at 04:12:12PM -0700, Andrew Morton wrote:
> On Mon, 4 Oct 2021 13:00:07 -0700 Kees Cook <keescook@chromium.org> wrote:
> 
> > Andrew, are you able to pick up [1], BTW? It seems to have fallen
> > through the cracks.
> > 
> > [1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u
> 
> I added that to -mm on 19 September.:
> https://ozlabs.org/~akpm/mmotm/broken-out/binfmt_elf-reintroduce-using-map_fixed_noreplace.patch

Ah! Thank you. :)

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
  2021-10-04 20:00 ` Kees Cook
  2021-10-05 23:12   ` Andrew Morton
@ 2021-10-18  6:51   ` ChenJingwen
  1 sibling, 0 replies; 6+ messages in thread
From: ChenJingwen @ 2021-10-18  6:51 UTC (permalink / raw)
  To: keescook
  Cc: akpm, avagin, chenjingwen6, khalid.aziz, linux-fsdevel,
	linux-kernel, mhocko, mpe, torvalds, viro

> >  The reason is that the elf interpreter (ld.so) has overlapping segments.
> >
> Ewww. What toolchain generated this (and what caused it to just start
> happening)? (This was added in v4.17; it's been 3 years.)

gcc 7.3.0 for powerpc Book3E (e5500).

I wonder if there are some linker options related to the overlapping segments.
I tried to find it out why but I failed. And I also didn't see the answer in the
previous discussion yet (Maybe I missed it).

What confuses me is why the other reports only have overlapping sections for
executable binaries or dynamic libraries, but not for their ld.so.
I can keep looking for the reason but it may take a longe time for me.

> > readelf -l ld-2.31.so
> > Program Headers:
> >   Type           Offset             VirtAddr           PhysAddr
> >                  FileSiz            MemSiz              Flags  Align
> >   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
> >                  0x000000000002c94c 0x000000000002c94c  R E    0x10000
> >   LOAD           0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
> >                  0x00000000000021e8 0x0000000000002320  RW     0x10000
> >   LOAD           0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
> >                  0x00000000000011ac 0x0000000000001328  RW     0x10000
> > 
> > The reason for this problem is the same as described in
> > commit ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
> > Not only executable binaries, elf interpreters (e.g. ld.so) can have
> > overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
> > back to MAP_FIXED in load_elf_interp.
>
> We could also just expand the logic that fixed[1] this for ELF, yes?
>
> Andrew, are you able to pick up [1], BTW? It seems to have fallen
> through the cracks.
>
> [1] https://lore.kernel.org/all/20210916215947.3993776-1-keescook@chromium.org/T/#u

Yes, I expand the logic[1] to load_elf_interp and "init" succeeds to start.
Should I submit another patch?

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-10-18  6:51 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-28 12:56 [PATCH] elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings Chen Jingwen
2021-09-28 22:21 ` Andrew Morton
2021-10-04 20:00 ` Kees Cook
2021-10-05 23:12   ` Andrew Morton
2021-10-05 23:27     ` Kees Cook
2021-10-18  6:51   ` ChenJingwen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.