From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756446AbcGHVsu (ORCPT ); Fri, 8 Jul 2016 17:48:50 -0400 Received: from mail-pa0-f47.google.com ([209.85.220.47]:34761 "EHLO mail-pa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755939AbcGHVsU (ORCPT ); Fri, 8 Jul 2016 17:48:20 -0400 From: Kees Cook To: Andrew Morton Cc: Kees Cook , Hector Marco-Gisbert , Ismael Ripoll Ripoll , Alexander Viro , "Kirill A. Shutemov" , Oleg Nesterov , Chen Gang , Michal Hocko , Konstantin Khlebnikov , Andrea Arcangeli , Andrey Ryabinin , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH 0/2] binfmt_elf: fix calculations for bss padding Date: Fri, 8 Jul 2016 14:48:12 -0700 Message-Id: <1468014494-25291-1-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This fixes a double-bug in ELF loading, as noticed by Hector Marco-Gisbert. To quote his original email: The size of the bss section for some interpreters is not correctly calculated resulting in unnecessary calls to vm_brk() with enormous size values. The bug appears when loading some interpreters with a small bss size. Once the last loadable segment has been loaded, the bss section is zeroed up to the page boundary and the elf_bss variable is updated to this new page boundary. Because of this update (alignment), the last_bss could be less than elf_bss and the subtraction "last_bss - elf_bss" value could overflow. ... [e.g.] The size value requested to the vm_brk() call (last_bss - elf_bss) is 0xfffffffffffff938 and internally this size is page aligned in the do_brk() function resulting in a 0 length request. This series takes a slightly different approach to fixing it and updates vm_brk to refuse bad allocation sizes. -Kees