From patchwork Thu Aug 17 01:09:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Pitre X-Patchwork-Id: 110288 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp1516161qge; Wed, 16 Aug 2017 18:09:36 -0700 (PDT) X-Received: by 10.84.133.15 with SMTP id 15mr3770263plf.31.1502932176330; Wed, 16 Aug 2017 18:09:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1502932176; cv=none; d=google.com; s=arc-20160816; b=NrgSqGkyZ1fqWtnI/bJixdD+asWf6OTkm18pFMR4wgKZgg98PU8NwWcv1goMTL3jYo iFu19+LX4o0dExPfpMXSAETH83BaQzNXs9R4X6aCxhx0domm5CBzsje7VXSkzu+6oDIY pJHPljKbwpqKymQxQgn/GmP7fHy8wkbLVAxvBDFo8ABbIlYYIsfqRoyw6Mtv7pzg0eKA FqQs1Nws5q/O2iXUh9S/XQq4FLKQrtq6WlgCSSVj6bHDuhjLdhhHApCuilkZ/pF/99NV FGFr0eHVqjOs26y9ior6UhX07Gt7PzenjuotSOPVvx4GFf09ol5sss7GwH3LAf5GvnGU 5J4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date:dkim-signature:arc-authentication-results; bh=A3zpQrwqysM6Dnv01teNDZIsApEsdN3fJS5peGCoKUI=; b=VQt9MVJY2UFGOPMGflhuA/XoO3rPU19y7+glK0w7DBfK35heUAQQbpZ35NN0ws5YYy U0s7XtY5V17Tp8rI+EngvAuXCctNCn7pUF2i2wuEH3nk6SJ7WELVHIxXQooZvzbA6Lus p3FkZnSM6P82P3SBgth9NElFcxIF5StVHghllBUJDLCiEdMHGuSLkGQzsB+7R+44gydO +04QuZ+D8OaL1z0hKAzS3F1Y/JkiTpaU/FBL90HyQHyR14AsbsVcd4XiXmQOVVua0Xel gdT/kefrp9DoQIs4hQQAU1AXZAjMLZB9gg9+dyIvtwtCnSDAmkNS9rFJVX4d84SjsHLg awCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KGlM3n/G; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w7si1280826pfd.6.2017.08.16.18.09.35; Wed, 16 Aug 2017 18:09:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KGlM3n/G; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752500AbdHQBJd (ORCPT + 26 others); Wed, 16 Aug 2017 21:09:33 -0400 Received: from mail-io0-f169.google.com ([209.85.223.169]:35833 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752255AbdHQBJb (ORCPT ); Wed, 16 Aug 2017 21:09:31 -0400 Received: by mail-io0-f169.google.com with SMTP id m88so18559192iod.2 for ; Wed, 16 Aug 2017 18:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:user-agent:mime-version; bh=A3zpQrwqysM6Dnv01teNDZIsApEsdN3fJS5peGCoKUI=; b=KGlM3n/Glsb4HT4Z0yv6DLXOcmNBvXOmXJ16xKDKdmwCYNqtavYf19evyCC/AN2H84 DtJ/i6EvaAKdDWK9mJ3+hfaFd9/gPns+8rUKcFQ65XgmJZ+id+UDKre55NBuOg+y8Ns3 El6rYnevPS9vOTcezumcMykFaHp9UTNLCEqCo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:user-agent :mime-version; bh=A3zpQrwqysM6Dnv01teNDZIsApEsdN3fJS5peGCoKUI=; b=TH5OarD3HE2N+ET03DjHmKcbEFBl52G3jhG2QIeHj9f7FRJtAjdt1BpXvPpag8Jx2x R+427I6qPWgZE0GC3+HPSbWDdIFdN0NLtkbjivZmjpwPIgEyzu2GGQV8J893QLGx8UtI FDBFXKT0ZILq8fMdkd7CZQ9nSO79RMkUt3BMMjmFKxFKVi/z6n7muZVqQvPt3lcuWT9X gaOEx0W0cyyLtn88fufZey01YLjYPLmoE5bxeaD2P/xfvV2T7HrWHtkxJWqU3iMsFDK7 zn4DEO1YyUK7hY11qQDFXKg+VzWYfqtWeXtJanaoU4F/8JHnJBHisPquG12uTBiVwvBl 2OhA== X-Gm-Message-State: AHYfb5jFwH2gY2JvLXmfXRsMwb+XAzjjXlfIc9UpMAsAAwfW20qawFZf NwHl4NXjwVBN2tQX X-Received: by 10.107.203.6 with SMTP id b6mr3103074iog.232.1502932171062; Wed, 16 Aug 2017 18:09:31 -0700 (PDT) Received: from xanadu.home (modemcable199.200-80-70.mc.videotron.ca. [70.80.200.199]) by smtp.gmail.com with ESMTPSA id o71sm558821itb.34.2017.08.16.18.09.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Aug 2017 18:09:30 -0700 (PDT) Date: Wed, 16 Aug 2017 21:09:28 -0400 (EDT) From: Nicolas Pitre To: Alexander Viro cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] binfmt_elf_fdpic: fix crash on MMU system with dynamic binaries Message-ID: User-Agent: Alpine 2.20 (LFD 67 2015-01-07) MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In elf_fdpic_map_file() there is a test to ensure the dynamic section in user space is properly terminated. However it does so by dereferencing a user address directly. Add proper user space accessor. Signed-off-by: Nicolas Pitre --- fs/binfmt_elf_fdpic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index cf93a4fad0..6ae00b1102 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -830,6 +830,9 @@ static int elf_fdpic_map_file(struct elf_fdpic_params *params, if (phdr->p_vaddr >= seg->p_vaddr && phdr->p_vaddr + phdr->p_memsz <= seg->p_vaddr + seg->p_memsz) { + Elf32_Dyn __user *dyn; + Elf32_Sword d_tag; + params->dynamic_addr = (phdr->p_vaddr - seg->p_vaddr) + seg->addr; @@ -842,8 +845,9 @@ static int elf_fdpic_map_file(struct elf_fdpic_params *params, goto dynamic_error; tmp = phdr->p_memsz / sizeof(Elf32_Dyn); - if (((Elf32_Dyn *) - params->dynamic_addr)[tmp - 1].d_tag != 0) + dyn = (Elf32_Dyn __user *)params->dynamic_addr; + __get_user(d_tag, &dyn[tmp - 1].d_tag); + if (d_tag != 0) goto dynamic_error; break; }