4.9-stable patches

added patches:
	binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch

diff --git a/queue-4.9/binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch b/queue-4.9/binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
new file mode 100644 (file)
index 0000000..23b8fd5
--- /dev/null
+++ b/queue-4.9/binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
@@ -0,0 +1,39 @@
+From 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 26 Sep 2019 10:15:25 -0700
+Subject: binfmt_elf: Do not move brk for INTERP-less ET_EXEC
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 upstream.
+
+When brk was moved for binaries without an interpreter, it should have
+been limited to ET_DYN only. In other words, the special case was an
+ET_DYN that lacks an INTERP, not just an executable that lacks INTERP.
+The bug manifested for giant static executables, where the brk would end
+up in the middle of the text area on 32-bit architectures.
+
+Reported-and-tested-by: Richard Kojedzinszky <richard@kojedz.in>
+Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_elf.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1107,7 +1107,8 @@ static int load_elf_binary(struct linux_
+                * (since it grows up, and may collide early with the stack
+                * growing down), and into the unused ELF_ET_DYN_BASE region.
+                */
+-              if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && !interpreter)
++              if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
++                  loc->elf_ex.e_type == ET_DYN && !interpreter)
+                       current->mm->brk = current->mm->start_brk =
+                               ELF_ET_DYN_BASE;
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
index 7165d77ab38242d8def7eb9dccc9d1b0675c3e11..ae2ce29d19aa1c74e9fb1bac153b7cec417af803 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -22,6 +22,7 @@ batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch
 batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch
 objtool-fix-stack-offset-tracking-for-indirect-cfas.patch
 scripts-decodecode-fix-trapping-instruction-formatting.patch
+binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
 arm64-hugetlb-avoid-potential-null-dereference.patch
 ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch
 net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch