215275 – Kernel doesn't honor p_align of PT_LOAD segments in static PIE

Bug 215275 - Kernel doesn't honor p_align of PT_LOAD segments in static PIE

Summary: Kernel doesn't honor p_align of PT_LOAD segments in static PIE

Status:	NEW

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	other_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-09 01:10 UTC by H.J. Lu
Modified:	2022-03-22 02:26 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
A testcase (660 bytes, application/x-xz) 2021-12-09 01:10 UTC, H.J. Lu	Details
A patch to properly load static PIE (1.47 KB, patch) 2021-12-09 18:08 UTC, H.J. Lu	Details \| Diff
0001-fs-binfmt_elf-use-ELF_ET_DYN_BASE-for-PIE-ET_DYN-wit.patch (2.58 KB, patch) 2022-01-31 18:42 UTC, Azat Khuzhin	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description H.J. Lu 2021-12-09 01:10:31 UTC

Created attachment 299951 [details]
A testcase

[hjl@gnu-cfl-2 aligned-1]$ make
gcc -pie -fPIE -Wl,-z,max-page-size=0x200000 -O2 -o pie main.c load.c
gcc -static-pie -fPIE -Wl,-z,max-page-size=0x200000 -O2 -o static-pie main.c load.c
gcc -no-pie -Wl,-z,max-page-size=0x200000 -O2 -o pde main.c load.c
./pde
foo: 0xe00000
./pie
foo: 0x5562eb800000
./static-pie
foo: 0x7f5c48e89000
make: *** [Makefile:8: all] Aborted (core dumped)
[hjl@gnu-cfl-2 aligned-1]$ 

For PIE, kernel handles it correctly:

                         */
                        if (interpreter) {
                                load_bias = ELF_ET_DYN_BASE;
                                if (current->flags & PF_RANDOMIZE)
                                        load_bias += arch_mmap_rnd();
                                alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
                                if (alignment)
                                        load_bias &= ~(alignment - 1);
                                elf_flags |= MAP_FIXED;
                        } else 

but static PIE isn't handled correctly.

Comment 1 H.J. Lu 2021-12-09 18:08:25 UTC

Created attachment 299973 [details]
A patch to properly load static PIE

Comment 2 Azat Khuzhin 2022-01-31 18:42:58 UTC

Created attachment 300364 [details]
0001-fs-binfmt_elf-use-ELF_ET_DYN_BASE-for-PIE-ET_DYN-wit.patch

H.J. Lu, Hi!

This patch [1] breaks PIE binaries.

Here is a reproducer - https://gist.github.com/azat/45cdfb46a70474449972258fce0010cf

In pre 5.17-rc1: it successfully executes inner() function to the maximum stack size

After this patch: it fails earlier due to address overlap.

  [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9630f0d60fec5fbcaa4435a66f75df1dc9704b66

How about patch from the attachment?

--
Regards,
Azat.

Comment 3 H.J. Lu 2022-01-31 20:05:03 UTC

(In reply to Azat Khuzhin from comment #2)
> Created attachment 300364 [details]
> 0001-fs-binfmt_elf-use-ELF_ET_DYN_BASE-for-PIE-ET_DYN-wit.patch
> 
> H.J. Lu, Hi!
> 
> This patch [1] breaks PIE binaries.
> 
> Here is a reproducer -
> https://gist.github.com/azat/45cdfb46a70474449972258fce0010cf
> 
> In pre 5.17-rc1: it successfully executes inner() function to the maximum
> stack size
> 
> After this patch: it fails earlier due to address overlap.
> 
>   [1]:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=9630f0d60fec5fbcaa4435a66f75df1dc9704b66
> 
> How about patch from the attachment?
> 

Yes, the patch looks correct.  Thanks.

Comment 4 Victor Stinner 2022-03-22 02:26:17 UTC

The commit 9630f0d60fec5fbcaa4435a66f75df1dc9704b66 introduced a brk() regression in Linux 5.17 on AArch64:
https://bugzilla.kernel.org/show_bug.cgi?id=215720

Note You need to log in before you can comment on or make changes to this bug.