From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 13 May 2020 06:05:40 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.19.123~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9b55e1f168464e141853055403ff948087a9b2b8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
---

diff --git a/queue-4.9/binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch b/queue-4.9/binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
new file mode 100644
index 00000000000..23b8fd5b4df
--- /dev/null
+++ b/queue-4.9/binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
@@ -0,0 +1,39 @@
+From 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 26 Sep 2019 10:15:25 -0700
+Subject: binfmt_elf: Do not move brk for INTERP-less ET_EXEC
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 7be3cb019db1cbd5fd5ffe6d64a23fefa4b6f229 upstream.
+
+When brk was moved for binaries without an interpreter, it should have
+been limited to ET_DYN only. In other words, the special case was an
+ET_DYN that lacks an INTERP, not just an executable that lacks INTERP.
+The bug manifested for giant static executables, where the brk would end
+up in the middle of the text area on 32-bit architectures.
+
+Reported-and-tested-by: Richard Kojedzinszky <richard@kojedz.in>
+Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_elf.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1107,7 +1107,8 @@ static int load_elf_binary(struct linux_
+ 		 * (since it grows up, and may collide early with the stack
+ 		 * growing down), and into the unused ELF_ET_DYN_BASE region.
+ 		 */
+-		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && !interpreter)
++		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
++		    loc->elf_ex.e_type == ET_DYN && !interpreter)
+ 			current->mm->brk = current->mm->start_brk =
+ 				ELF_ET_DYN_BASE;
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 7165d77ab38..ae2ce29d19a 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -22,6 +22,7 @@ batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch
 batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch
 objtool-fix-stack-offset-tracking-for-indirect-cfas.patch
 scripts-decodecode-fix-trapping-instruction-formatting.patch
+binfmt_elf-do-not-move-brk-for-interp-less-et_exec.patch
 arm64-hugetlb-avoid-potential-null-dereference.patch
 ext4-add-cond_resched-to-ext4_protect_reserved_inode.patch
 net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch