summaryrefslogtreecommitdiff
path: root/rust/helpers/security.c
diff options
context:
space:
mode:
authorMichael Ellerman <mpe@ellerman.id.au>2024-12-16 23:17:06 +1100
committerMadhavan Srinivasan <maddy@linux.ibm.com>2024-12-18 13:41:57 +0530
commitf66dbe43798fc97e8c0e6d9b86f1aa923ef523fa (patch)
tree68b072347cc1d954bd68132579707ee8dfe0ee57 /rust/helpers/security.c
parente834166822a3c9fb403411c898367df8dabf973c (diff)
powerpc/64: Use get_user() in start_thread()
For ELFv1 binaries (big endian), the ELF entry point isn't the address of the first instruction, instead it points to the function descriptor for the entry point. The address of the first instruction is in the function descriptor. That means the kernel has to fetch the address of the first instruction from user memory. Because start_thread() uses __get_user(), which has no access_ok() checks, it looks like a malicious ELF binary could be crafted to point the entry point address at kernel memory. The kernel would load 8 bytes from kernel memory into the NIP and then start the process, it would typically crash, but a debugger could observe the NIP value which would be the result of reading from kernel memory. However that's NOT possible, because there is a check in load_elf_binary() that ensures the ELF entry point is < TASK_SIZE (look for BAD_ADDR(elf_entry)). However it's fragile for start_thread() to rely on a check elsewhere, even if the ELF parser is unlikely to ever drop the check that elf_entry is a user address. Make it more robust by using get_user(), which checks that the address points at userspace before doing the load. If the address doesn't point at userspace it will just set the result to zero, and the userspace program will crash at zero (which is fine because it's self-inflicted). Note that it's also possible for a malicious binary to have a valid ELF entry address, but with the first instruction address pointing into the kernel. However that's OK, because it is blocked by the MMU, just like any other attempt to jump into the kernel from userspace. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/20241216121706.26790-1-mpe@ellerman.id.au
Diffstat (limited to 'rust/helpers/security.c')
0 files changed, 0 insertions, 0 deletions