With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-do... (@BuMRK)

With CONFIGARCHBINFMTELFRANDOMIZEPIE enabled, and a normal top-down address allocation strategy, loadelfbinary() will attempt to map a PIE binary into an address range immediately below mm->mmapbase. Unfortunately, loadelf binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PTLOAD segment is mapped below mm->mmapbase, the subsequent PTLOAD segment(s) end up being mapped above mm->mmapbase into the are that is supposed to be the "gap" between the stack and the binary. Since the size of the "gap" on x8664 is only guaranteed to be 128MB this means that binaries with large data segments > 128MB can end up mapping part of their data segment over their stack resulting in corruption of the stack (and the data segment once the binary starts to run). Any PIE binary with a data segment > 128MB is vulnerable to this although address randomization means that the actual gap between the stack and the end of the binary is normally greater than 128MB. The larger the data segment of the binary the higher the probability of failure. Fix this by calculating the total size of the binary in the same way as loadelf_interp().

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a87938b2e246b81b4fb713edb371a9fa3c5c3c86

#security #linux #sekurak #zaufanatrzeciastrona

Aktywne Wpisy

Aktywne Znaleziska

Skandal w byłej wiosce olimpijskiej pod Paryżem

Poznański szpital wprowadza nowoczesną metodę leczenia choroby Parkinsona

Praca na farmie w Szwajcarii (obóz pracy)

Podwyżki w inFakt dla firm nawet o 1500%

Decyzja Bidena: Polska powinna zapomnieć o rozwoju własnej superinteligencji

Popularne tagi