[PATCH OLK-5.10 0/2] Fix CVE-2024-46826
Fix CVE-2024-46826 Alexey Dobriyan (1): ELF: fix kernel.randomize_va_space double read Gu Bowen (1): ELF: Fix mixed declarations and code of "snapshot_randomize_va_space" fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12102 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12102 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4...
From: Alexey Dobriyan <adobriyan@gmail.com> stable inclusion from stable-v6.1.110 commit 1f81d51141a234ad0a3874b4d185dc27a521cd27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 528d3bb0be53..3aa83977f9d6 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1005,7 +1005,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1275,7 +1276,7 @@ static int load_elf_binary(struct linux_binprm *bprm) mm->end_data = end_data; mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.25.1
hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826 -------------------------------- Due to the use of the compilation instruction -Wdeclaration-after-statment, declaring snapshot_randomize_va_space here will generate a compilation warning, so move it up. Fixes: 2a97388a807b ("ELF: fix kernel.randomize_va_space double read") Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 3aa83977f9d6..cac2c9511ff0 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -839,6 +839,7 @@ static int load_elf_binary(struct linux_binprm *bprm) struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE; struct mm_struct *mm; struct pt_regs *regs; + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); retval = -ENOEXEC; /* First of all, some simple consistency checks */ @@ -1005,7 +1006,6 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; -- 2.25.1
participants (2)
-
Gu Bowen -
patchwork bot