exec, elf: require opt-in for accepting preserved mem

Don't copy preserved VMAs to the binary being exec'd unless the binary
has a "preserved-mem-ok" ELF note.

Orabug: 32387884
Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
(cherry picked from commit aeea589)
Signed-off-by: Jack Vogel <jack.vogel@oracle.com>

Author: Anthony Yznaga

fs/binfmt_elf.c

@@ -678,6 +678,82 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
  * libraries.  There is no binary dependent code anywhere else.
  */
 
+static int get_elf_notes(struct linux_binprm *bprm, struct elf_phdr *phdr, char **notes, size_t *notes_sz)
+{
+	char *data;
+	size_t datasz;
+	loff_t pos;
+	int ret;
+
+	if (!phdr)
+		return 0;
+
+	datasz = phdr->p_filesz;
+	if ((datasz > MAX_FILE_NOTE_SIZE) || (datasz < sizeof(struct elf_note)))
+		return -ENOEXEC;
+
+	data = kvmalloc(datasz, GFP_KERNEL);
+	if (!data)
+		return -ENOMEM;
+
+	pos = phdr->p_offset;
+	ret = kernel_read(bprm->file, data, datasz, &pos);
+	if (ret != datasz) {
+		if (ret >= 0)
+			ret = -EIO;
+		kvfree(data);
+		return ret;
+	}
+
+	*notes = data;
+	*notes_sz = datasz;
+	return 0;
+}
+
+#define PRESERVED_MEM_OK_STRING		"preserved-mem-ok"
+#define SZ_PRESERVED_MEM_OK_STRING	sizeof(PRESERVED_MEM_OK_STRING)
+
+static int check_preserved_mem_ok(struct linux_binprm *bprm, const char *data, const size_t datasz)
+{
+	size_t off = 0;
+	size_t remain;
+
+	if (!data)
+		return 0;
+
+	while (off < datasz) {
+		const struct elf_note *nhdr;
+		const char *name;
+
+		remain = datasz - off;
+
+		if (remain < sizeof(*nhdr))
+			return -ENOEXEC;
+
+		nhdr = (struct elf_note *)(data + off);
+		off += sizeof(*nhdr);
+		remain -= sizeof(*nhdr);
+
+		if (nhdr->n_type != 0x07c1feed) {
+			off += roundup(nhdr->n_namesz, 4) + roundup(nhdr->n_descsz, 4);
+			continue;
+		}
+
+		if (nhdr->n_namesz > SZ_PRESERVED_MEM_OK_STRING)
+			return -ENOEXEC;
+
+		name =  data + off;
+		if (remain < SZ_PRESERVED_MEM_OK_STRING ||
+		    strncmp(name, PRESERVED_MEM_OK_STRING, SZ_PRESERVED_MEM_OK_STRING))
+			return -ENOEXEC;
+
+		bprm->accepts_preserved_mem = 1;
+		break;
+	}
+
+	return 0;
+}
+
 #define MAX_RSVD_VA_RANGES	64
 #define RSVD_VA_STRING		"Reserved VA"
 #define SZ_RSVD_VA_STRING	sizeof(RSVD_VA_STRING)
@@ -784,6 +860,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
 	int load_addr_set = 0;
 	unsigned long error;
 	struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
+	struct elf_phdr *elf_notes_phdata = NULL;
+	char *elf_notes = NULL;
+	size_t elf_notes_sz = 0;
 	unsigned long elf_bss, elf_brk;
 	int bss_prot = 0;
 	int retval, i;
@@ -899,6 +978,10 @@ static int load_elf_binary(struct linux_binprm *bprm)
 				executable_stack = EXSTACK_DISABLE_X;
 			break;
 
+		case PT_NOTE:
+			elf_notes_phdata = elf_ppnt;
+			break;
+
 		case PT_LOPROC ... PT_HIPROC:
 			retval = arch_elf_pt_proc(&loc->elf_ex, elf_ppnt,
 						  bprm->file, false,
@@ -950,6 +1033,14 @@ static int load_elf_binary(struct linux_binprm *bprm)
 	if (retval)
 		goto out_free_dentry;
 
+	retval = get_elf_notes(bprm, elf_notes_phdata, &elf_notes, &elf_notes_sz);
+	if (retval)
+		goto out_free_dentry;
+
+	retval = check_preserved_mem_ok(bprm, elf_notes, elf_notes_sz);
+	if (retval)
+		goto out_free_dentry;
+
 	/* Flush all traces of the currently running executable */
 	retval = flush_old_exec(bprm);
 	if (retval)
@@ -1226,6 +1317,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		}
 	}
 
+	kvfree(elf_notes);
 	kfree(interp_elf_phdata);
 	kfree(elf_phdata);
 
@@ -1306,6 +1398,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 	if (interpreter)
 		fput(interpreter);
 out_free_ph:
+	kvfree(elf_notes);
 	kfree(elf_phdata);
 	goto out;
 }

fs/exec.c

@@ -1025,10 +1025,11 @@ static int vma_dup_some(struct mm_struct *old_mm, struct mm_struct *new_mm)
  * On success, this function returns with exec_update_lock
  * held for writing.
  */
-static int exec_mmap(struct mm_struct *mm)
+static int exec_mmap(struct linux_binprm *bprm)
 {
 	struct task_struct *tsk;
 	struct mm_struct *old_mm, *active_mm;
+	struct mm_struct *mm = bprm->mm;
 	int ret;
 
 	/* Notify parent that we're no longer interested in the old VM */
@@ -1054,11 +1055,13 @@ static int exec_mmap(struct mm_struct *mm)
 			up_write(&tsk->signal->exec_update_lock);
 			return -EINTR;
 		}
-		ret = vma_dup_some(old_mm, mm);
-		if (ret) {
-			up_read(&old_mm->mmap_sem);
-			up_write(&tsk->signal->exec_update_lock);
-			return ret;
+		if (bprm->accepts_preserved_mem) {
+			ret = vma_dup_some(old_mm, mm);
+			if (ret) {
+				up_read(&old_mm->mmap_sem);
+				up_write(&tsk->signal->exec_update_lock);
+				return ret;
+			}
 		}
 	}
 
@@ -1324,7 +1327,7 @@ int flush_old_exec(struct linux_binprm * bprm)
 	 * Release all of the old mmap stuff
 	 */
 	acct_arg_size(bprm, 0);
-	retval = exec_mmap(bprm->mm);
+	retval = exec_mmap(bprm);
 	if (retval)
 		goto out;
 

include/linux/binfmts.h

@@ -59,6 +59,12 @@ struct linux_binprm {
 #ifdef __alpha__
 	unsigned int taso:1;
 #endif
+	/*
+	 * Set if the binary being exec'd will accept memory marked
+	 * for preservation by the outgoing process.
+	 */
+	UEK_KABI_FILL_HOLE(unsigned int accepts_preserved_mem:1)
+
 	unsigned int recursion_depth; /* only for search_binary_handler() */
 	struct file * file;
 	struct cred *cred;	/* new credentials */