Fix CVE-2024-46826
Alexey Dobriyan (1): ELF: fix kernel.randomize_va_space double read
Gu Bowen (1): ELF: Fix mixed declarations and code of "snapshot_randomize_va_space"
fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12220 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/U...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12220 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/U...
From: Alexey Dobriyan adobriyan@gmail.com
stable inclusion from stable-v6.1.110 commit 1f81d51141a234ad0a3874b4d185dc27a521cd27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ]
ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences.
Issue exactly one load for consistent value across one exec.
Signed-off-by: Alexey Dobriyan adobriyan@gmail.com Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook kees@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: fs/binfmt_elf.c [Context conflicts.] Signed-off-by: Gu Bowen gubowen5@huawei.com --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 4ba7495cf7d5..9df3a3757025 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -897,7 +897,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC;
- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE;
setup_new_exec(bprm); @@ -1161,7 +1162,7 @@ static int load_elf_binary(struct linux_binprm *bprm) current->mm->end_data = end_data; current->mm->start_stack = bprm->p;
- if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF
hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826
--------------------------------
Due to the use of the compilation instruction -Wdeclaration-after-statment, declaring snapshot_randomize_va_space here will generate a compilation warning, so move it up.
Fixes: 2a97388a807b ("ELF: fix kernel.randomize_va_space double read") Signed-off-by: Gu Bowen gubowen5@huawei.com --- fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 9df3a3757025..5314ef0cfb63 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -730,6 +730,7 @@ static int load_elf_binary(struct linux_binprm *bprm) struct elfhdr interp_elf_ex; } *loc; struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE; + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); loff_t pos;
loc = kmalloc(sizeof(*loc), GFP_KERNEL); @@ -897,7 +898,6 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC;
- const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE;