* [PATCH v2] fs/binfmt_elf.c: disallow invalid entry point address
@ 2021-12-12 20:40 H.J. Lu
2021-12-13 16:40 ` Eric W. Biederman
0 siblings, 1 reply; 2+ messages in thread
From: H.J. Lu @ 2021-12-12 20:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Linus Torvalds, Andrew Morton, Alexey Dobriyan
On Linux, the start of the first PT_LOAD segment is the ELF header and
the address 0 points to the ELF magic bytes. Update the ELF loader to
disallow ELF binaries with entry point address smaller than the ELF
header size. This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=215303
Tested by booting Fedora 35 and running a shared library with invalid
entry point address:
$ readelf -h load.so | grep "Entry point address:"
Entry point address: 0x4
$ ./load.so
bash: ./load.so: cannot execute binary file: Exec format error
$
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
---
fs/binfmt_elf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index bd78587194dc..7f035022131b 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -850,6 +850,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
goto out;
+ if (elf_ex->e_entry < sizeof(*elf_ex))
+ goto out;
if (!elf_check_arch(elf_ex))
goto out;
if (elf_check_fdpic(elf_ex))
--
2.33.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] fs/binfmt_elf.c: disallow invalid entry point address
2021-12-12 20:40 [PATCH v2] fs/binfmt_elf.c: disallow invalid entry point address H.J. Lu
@ 2021-12-13 16:40 ` Eric W. Biederman
0 siblings, 0 replies; 2+ messages in thread
From: Eric W. Biederman @ 2021-12-13 16:40 UTC (permalink / raw)
To: H.J. Lu; +Cc: linux-kernel, Linus Torvalds, Andrew Morton, Alexey Dobriyan
"H.J. Lu" <hjl.tools@gmail.com> writes:
> On Linux, the start of the first PT_LOAD segment is the ELF header and
> the address 0 points to the ELF magic bytes. Update the ELF loader to
> disallow ELF binaries with entry point address smaller than the ELF
> header size.
I kind of get why that was suggested but there is most definitely no
requirement for the program headers to be loaded let alone be at any
particular virtual address. We could be talking about a static elf
binary.
> This fixes:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=215303
>
> Tested by booting Fedora 35 and running a shared library with invalid
> entry point address:
>
> $ readelf -h load.so | grep "Entry point address:"
> Entry point address: 0x4
> $ ./load.so
> bash: ./load.so: cannot execute binary file: Exec format error
> $
Is the point of this keeping shared libraries from executing?
What is gained by this patch?
Eric
> Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
> ---
> fs/binfmt_elf.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index bd78587194dc..7f035022131b 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -850,6 +850,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
>
> if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
> goto out;
> + if (elf_ex->e_entry < sizeof(*elf_ex))
> + goto out;
> if (!elf_check_arch(elf_ex))
> goto out;
> if (elf_check_fdpic(elf_ex))
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-13 16:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-12 20:40 [PATCH v2] fs/binfmt_elf.c: disallow invalid entry point address H.J. Lu
2021-12-13 16:40 ` Eric W. Biederman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).