binfmt_elf: Leave a gap between .bss and brk

kees · kees · commit 2a5eb9995528 · 2024-04-24T12:20:35.000-07:00
Currently the brk starts its randomization immediately after .bss, which means there is a chance that when the random offset is 0, linear overflows from .bss can reach into the brk area. Leave at least a single page gap between .bss and brk (when it has not already been explicitly relocated into the mmap range). Reported-by: <y0un9n132@gmail.com> Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org>
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
 		    elf_ex->e_type == ET_DYN && !interpreter) {
 			mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
+		} else {
+			/* Otherwise leave a gap between .bss and brk. */
+			mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
 		}
 
 		mm->brk = mm->start_brk = arch_randomize_brk(mm);

Original file line number	Diff line number	Diff line change
`@@ -1262,6 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)`
`1262`	`1262`	`if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&`
`1263`	`1263`	`elf_ex->e_type == ET_DYN && !interpreter) {`
`1264`	`1264`	`mm->brk = mm->start_brk = ELF_ET_DYN_BASE;`
	`1265`	`+ } else {`
	`1266`	`+ /* Otherwise leave a gap between .bss and brk. */`
	`1267`	`+ mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;`
`1265`	`1268`	`}`
`1266`	`1269`
`1267`	`1270`	`mm->brk = mm->start_brk = arch_randomize_brk(mm);`