[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2024-46826
Fix CVE-2024-46826 Alexey Dobriyan (1): ELF: fix kernel.randomize_va_space double read Gu Bowen (1): ELF: Fix mixed declarations and code of "snapshot_randomize_va_space" fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12107 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12107 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F...
From: Alexey Dobriyan <adobriyan@gmail.com> stable inclusion from stable-v6.1.110 commit 1f81d51141a234ad0a3874b4d185dc27a521cd27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: fs/binfmt_elf.c [Context conflicts.] Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 4ba7495cf7d5..9df3a3757025 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -897,7 +897,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1161,7 +1162,7 @@ static int load_elf_binary(struct linux_binprm *bprm) current->mm->end_data = end_data; current->mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.25.1
Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826 -------------------------------- Due to the use of the compilation instruction -Wdeclaration-after-statment, declaring snapshot_randomize_va_space here will generate a compilation warning, so move it up. Fixes: 2a97388a807b ("ELF: fix kernel.randomize_va_space double read") Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 9df3a3757025..5314ef0cfb63 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -730,6 +730,7 @@ static int load_elf_binary(struct linux_binprm *bprm) struct elfhdr interp_elf_ex; } *loc; struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE; + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); loff_t pos; loc = kmalloc(sizeof(*loc), GFP_KERNEL); @@ -897,7 +898,6 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; -- 2.25.1
participants (2)
-
Gu Bowen -
patchwork bot