Michael Davidson a425d56c87 fs/binfmt_elf.c: fix bug in loading of PIE binaries ... commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 upstream. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary. Since the size of the "gap" on x86_64 is only guaranteed to be 128MB this means that binaries with large data segments > 128MB can end up mapping part of their data segment over their stack resulting in corruption of the stack (and the data segment once the binary starts to run). Any PIE binary with a data segment > 128MB is vulnerable to this although address randomization means that the actual gap between the stack and the end of the binary is normally greater than 128MB. The larger the data segment of the binary the higher the probability of failure. Fix this by calculating the total size of the binary in the same way as load_elf_interp(). Signed-off-by: Michael Davidson <md@google.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Jiri Kosina <jkosina@suse.cz> Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Zefan Li <lizefan@huawei.com>		2015-09-18 09:20:30 +08:00
..
9p	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
adfs
affs	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
afs
autofs4	autofs4: check dev ioctl size before allocating	2015-06-19 11:40:33 +08:00
befs
bfs
btrfs	Btrfs: fix inode eviction infinite loop after cloning into it	2015-09-18 09:20:30 +08:00
cachefiles	fs: cachefiles: add support for large files in filesystem caching	2014-06-07 16:02:04 -07:00
ceph	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
cifs	cifs: fix use-after-free bug in find_writable_file	2015-06-19 11:40:30 +08:00
coda	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
configfs	configfs: fix race between dentry put and lookup	2013-11-29 10:50:37 -08:00
cramfs
debugfs	debugfs: leave freeing a symlink body until inode eviction	2015-06-19 11:40:18 +08:00
devpts	devpts: plug the memory leak in kill_sb	2013-12-04 10:50:14 -08:00
dlm	dlm fixes for 3.4	2012-04-23 18:22:42 -07:00
ecryptfs	eCryptfs: don't pass fs-specific ioctl commands through	2015-06-19 11:40:20 +08:00
efs
exofs	ore: Fix wrong math in allocation of per device BIO	2014-02-13 11:51:11 -08:00
exportfs	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
ext2	ext2: Fix fs corruption in ext2_get_xip_mem()	2014-09-25 11:49:19 +08:00
ext3	ext3: Don't check quota format when there are no quota files	2015-02-02 17:05:00 +08:00
ext4	ext4: make fsync to sync parent dir in no-journal for real this time	2015-09-18 09:20:27 +08:00
fat	fat: fix possible overflow for fat_clusters	2013-06-07 12:49:12 -07:00
freevxfs
fscache	fs/fscache/stats.c: fix memory leak	2013-05-07 19:51:55 -07:00
fuse	fuse: set stolen page uptodate	2015-06-19 11:40:24 +08:00
gfs2	GFS2: Fix incorrect invalidation for DIO/buffered I/O	2014-01-08 09:42:12 -08:00
hfs
hfsplus	hfsplus: fix B-tree corruption after insertion at position 0	2015-06-19 11:40:29 +08:00
hostfs	Merge branch 'for-linus-3.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml	2012-03-27 18:29:53 -07:00
hpfs	hpfs: deadlock and race in directory lseek()	2014-02-13 11:51:18 -08:00
hppfs
hugetlbfs	hugetlbfs: fix mmap failure in unaligned size request	2013-05-19 10:54:48 -07:00
isofs	isofs: Fix unchecked printing of ER records	2015-04-14 17:33:47 +08:00
jbd	jbd: Fix lock ordering bug in journal_unmap_buffer()	2012-12-03 11:47:10 -08:00
jbd2	ext4/jbd2: don't wait (forever) for stale tid caused by wraparound	2014-03-11 16:10:05 -07:00
jffs2	jffs2: fix handling of corrupted summary length	2015-06-19 11:40:16 +08:00
jfs	jfs: fix readdir regression	2015-04-14 17:34:02 +08:00
lockd	lockd: Try to reconnect if statd has moved	2015-02-02 17:04:42 +08:00
logfs
minix
ncpfs	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
nfs	NFSv4: Don't call put_rpccred() under the rcu_read_lock()	2015-06-19 11:40:20 +08:00
nfs_common
nfsd	nfsd: Fix slot wake up race in the nfsv4.1 callback code	2015-04-14 17:33:37 +08:00
nilfs2	nilfs2: fix potential memory overrun on inode	2015-06-19 11:40:18 +08:00
nls
notify	fsnotify: next_i is freed during fsnotify_unmount_inodes.	2015-04-14 17:34:03 +08:00
ntfs
ocfs2	splice: Apply generic position and size checks to each write	2015-06-19 11:40:32 +08:00
omfs
openpromfs
proc	pagemap: do not leak physical addresses to non-privileged userspace	2015-04-14 17:34:02 +08:00
pstore	pstore: Avoid deadlock in panic and emergency-restart path	2013-03-04 06:06:43 +08:00
qnx4
qnx6
quota	quota: Fix race between dqput() and dquot_scan_active()	2014-03-11 16:10:02 -07:00
ramfs	fs: ramfs: file-nommu: add SetPageUptodate()	2012-07-16 09:04:45 -07:00
reiserfs	reiserfs: fix race in readdir	2014-05-06 07:51:44 -07:00
romfs	MTD merge for 3.4	2012-03-30 17:31:56 -07:00
squashfs	Add an extra mount time sanity check, plus some code cleanups and bug fixes.	2012-03-28 18:05:54 -07:00
sysfs	sysfs: fix use after free in case of concurrent read/write and readdir	2013-05-07 19:51:54 -07:00
sysv
ubifs	UBIFS: fix free log space calculation	2015-02-02 17:04:36 +08:00
udf	udf: Check component length before reading it	2015-04-14 17:33:48 +08:00
ufs	Remove all #inclusions of asm/system.h	2012-03-28 18:30:03 +01:00
xfs	xfs: underflow bug in xfs_attrlist_by_handle()	2013-12-20 07:34:19 -08:00
aio.c	aio: fix possible invalid memory access when DEBUG is enabled	2013-05-01 09:41:03 -07:00
anon_inodes.c
attr.c	vfs: increment iversion when a file is truncated	2012-06-10 00:36:12 +09:00
bad_inode.c
binfmt_aout.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_elf.c	fs/binfmt_elf.c: fix bug in loading of PIE binaries	2015-09-18 09:20:30 +08:00
binfmt_elf_fdpic.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_em86.c	exec: use -ELOOP for max recursion depth	2013-03-28 12:12:28 -07:00
binfmt_flat.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_misc.c	exec: use -ELOOP for max recursion depth	2013-03-28 12:12:28 -07:00
binfmt_script.c	exec: use -ELOOP for max recursion depth	2013-03-28 12:12:28 -07:00
binfmt_som.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
bio-integrity.c
bio.c	SCSI: sg: Fix user memory corruption when SG_IO is interrupted by a signal	2013-09-07 21:58:16 -07:00
block_dev.c	writeback: Fix periodic writeback after fs mount	2013-07-28 16:26:08 -07:00
buffer.c	vfs: fix data corruption when blocksize < pagesize for mmaped data	2015-02-02 17:04:52 +08:00
char_dev.c
compat.c	Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys	2013-03-14 11:29:51 -07:00
compat_binfmt_elf.c
compat_ioctl.c	fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check	2012-10-31 10:02:55 -07:00
dcache.c	deal with deadlock in d_walk()	2015-04-14 17:33:58 +08:00
dcookies.c
direct-io.c	fs: Fix possible use-after-free with AIO	2013-03-04 06:06:41 +08:00
drop_caches.c
eventfd.c
eventpoll.c	epoll: prevent missed events on EPOLL_CTL_MOD	2013-01-17 08:50:54 -08:00
exec.c	fs: take i_mutex during prepare_binprm for set[ug]id executables	2015-06-19 11:40:33 +08:00
fcntl.c
fhandle.c
fifo.c	fifo: Do not restart open() if it already found a partner	2012-07-19 08:58:56 -07:00
file.c	fs/file.c:fdtable: avoid triggering OOMs from alloc_fdmem	2014-02-22 10:32:45 -08:00
file_table.c
filesystems.c
fs-writeback.c	writeback: fix a subtle race condition in I_DIRTY clearing	2015-04-14 17:33:41 +08:00
fs_struct.c	The following text was taken from the original review request:	2012-03-24 10:24:31 -07:00
generic_acl.c
inode.c	vfs: Revert spurious fix to spinning prevention in prune_icache_sb	2013-04-16 21:27:26 -07:00
internal.h
ioctl.c
ioprio.c	block: Fix computation of merged request priority	2015-02-02 17:05:17 +08:00
Kconfig
Kconfig.binfmt
libfs.c	move d_rcu from overlapping d_child to overlapping d_alias	2015-04-14 17:33:58 +08:00
locks.c	locks: allow __break_lease to sleep even when break_time is 0	2014-05-13 14:11:31 +02:00
Makefile
mbcache.c
mount.h
mpage.c
namei.c	don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu()	2015-06-19 11:40:34 +08:00
namespace.c	mnt: Prevent pivot_root from creating a loop in the mount tree	2015-02-02 17:04:50 +08:00
no-block.c
open.c	vfs: canonicalize create mode in build_open_flags()	2012-09-14 10:00:05 -07:00
pipe.c	vfs: fix pipe counter breakage	2013-03-14 11:29:51 -07:00
pnode.c	get rid of propagate_umount() mistakenly treating slaves as busy.	2014-12-01 18:02:21 +08:00
pnode.h
posix_acl.c	posix_acl: handle NULL ACL in posix_acl_equiv_mode	2014-06-07 16:02:02 -07:00
proc_namespace.c
read_write.c
read_write.h
readdir.c
select.c	posix_types.h: Cleanup stale __NFDBITS and related definitions	2012-08-09 08:31:39 -07:00
seq_file.c	The following text was taken from the original review request:	2012-03-24 10:24:31 -07:00
signalfd.c
splice.c	splice: Apply generic position and size checks to each write	2015-06-19 11:40:32 +08:00
stack.c
stat.c	VFS: make vfs_fstat() use f[get|put]_light()	2014-06-07 16:02:04 -07:00
statfs.c	vfs: allow O_PATH file descriptors for fstatfs()	2013-10-22 09:02:25 +01:00
super.c	fs: Fix theoretical division by 0 in super_cache_scan().	2015-02-02 17:04:48 +08:00
sync.c
timerfd.c
utimes.c
xattr.c	fs/xattr.c:setxattr(): improve handling of allocation failures	2012-04-05 15:25:50 -07:00
xattr_acl.c