releases/4.19.208/prctl-allow-to-setup-brk-for-et_dyn-executables.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From e1fbbd073137a9d63279f6bf363151a938347640 Mon Sep 17 00:00:00 2001
 From: Cyrill Gorcunov <gorcunov@gmail.com>
 Date: Tue, 7 Sep 2021 20:00:41 -0700
 Subject: prctl: allow to setup brk for et_dyn executables

 From: Cyrill Gorcunov <gorcunov@gmail.com>

 commit e1fbbd073137a9d63279f6bf363151a938347640 upstream.

 Keno Fischer reported that when a binray loaded via ld-linux-x the
 prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays
 before mm:end_data.

 For example a test program shows

  | # ~/t
  |
  | start_code      401000
  | end_code        401a15
  | start_stack     7ffce4577dd0
  | start_data	   403e10
  | end_data        40408c
  | start_brk	   b5b000
  | sbrk(0)         b5b000

 and when executed via ld-linux

  | # /lib64/ld-linux-x86-64.so.2 ~/t
  |
  | start_code      7fc25b0a4000
  | end_code        7fc25b0c4524
  | start_stack     7fffcc6b2400
  | start_data	   7fc25b0ce4c0
  | end_data        7fc25b0cff98
  | start_brk	   55555710c000
  | sbrk(0)         55555710c000

 This of course prevent criu from restoring such programs.  Looking into
 how kernel operates with brk/start_brk inside brk() syscall I don't see
 any problem if we allow to setup brk/start_brk without checking for
 end_data.  Even if someone pass some weird address here on a purpose then
 the worst possible result will be an unexpected unmapping of existing vma
 (own vma, since prctl works with the callers memory) but test for
 RLIMIT_DATA is still valid and a user won't be able to gain more memory in
 case of expanding VMAs via new values shipped with prctl call.

 Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain
 Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
 Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
 Reported-by: Keno Fischer <keno@juliacomputing.com>
 Acked-by: Andrey Vagin <avagin@gmail.com>
 Tested-by: Andrey Vagin <avagin@gmail.com>
 Cc: Dmitry Safonov <0x7f454c46@gmail.com>
 Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
 Cc: Eric W. Biederman <ebiederm@xmission.com>
 Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 Cc: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  kernel/sys.c |    7 -------
  1 file changed, 7 deletions(-)

 --- a/kernel/sys.c
 +++ b/kernel/sys.c
 @@ -1932,13 +1932,6 @@ static int validate_prctl_map(struct prc
  	error = -EINVAL;

  	/*
 -	 * @brk should be after @end_data in traditional maps.
 -	 */
 -	if (prctl_map->start_brk <= prctl_map->end_data ||
 -	    prctl_map->brk <= prctl_map->end_data)
 -		goto out;
 -
 -	/*
  	 * Neither we should allow to override limits if they set.
  	 */
  	if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk,
	From e1fbbd073137a9d63279f6bf363151a938347640 Mon Sep 17 00:00:00 2001
	From: Cyrill Gorcunov <gorcunov@gmail.com>
	Date: Tue, 7 Sep 2021 20:00:41 -0700
	Subject: prctl: allow to setup brk for et_dyn executables

	From: Cyrill Gorcunov <gorcunov@gmail.com>

	commit e1fbbd073137a9d63279f6bf363151a938347640 upstream.

	Keno Fischer reported that when a binray loaded via ld-linux-x the
	prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays
	before mm:end_data.

	For example a test program shows

	\| # ~/t
	\|
	\| start_code 401000
	\| end_code 401a15
	\| start_stack 7ffce4577dd0
	\| start_data 403e10
	\| end_data 40408c
	\| start_brk b5b000
	\| sbrk(0) b5b000

	and when executed via ld-linux

	\| # /lib64/ld-linux-x86-64.so.2 ~/t
	\|
	\| start_code 7fc25b0a4000
	\| end_code 7fc25b0c4524
	\| start_stack 7fffcc6b2400
	\| start_data 7fc25b0ce4c0
	\| end_data 7fc25b0cff98
	\| start_brk 55555710c000
	\| sbrk(0) 55555710c000

	This of course prevent criu from restoring such programs. Looking into
	how kernel operates with brk/start_brk inside brk() syscall I don't see
	any problem if we allow to setup brk/start_brk without checking for
	end_data. Even if someone pass some weird address here on a purpose then
	the worst possible result will be an unexpected unmapping of existing vma
	(own vma, since prctl works with the callers memory) but test for
	RLIMIT_DATA is still valid and a user won't be able to gain more memory in
	case of expanding VMAs via new values shipped with prctl call.

	Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain
	Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
	Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
	Reported-by: Keno Fischer <keno@juliacomputing.com>
	Acked-by: Andrey Vagin <avagin@gmail.com>
	Tested-by: Andrey Vagin <avagin@gmail.com>
	Cc: Dmitry Safonov <0x7f454c46@gmail.com>
	Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
	Cc: Eric W. Biederman <ebiederm@xmission.com>
	Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
	Cc: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	kernel/sys.c \| 7 -------
	1 file changed, 7 deletions(-)

	--- a/kernel/sys.c
	+++ b/kernel/sys.c
	@@ -1932,13 +1932,6 @@ static int validate_prctl_map(struct prc
	error = -EINVAL;

	/*
	- * @brk should be after @end_data in traditional maps.
	- */
	- if (prctl_map->start_brk <= prctl_map->end_data \|\|
	- prctl_map->brk <= prctl_map->end_data)
	- goto out;
	-
	- /*
	* Neither we should allow to override limits if they set.
	*/
	if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk,