Please note that this patch applies cleanly to Ubuntu 14.10's Linux kernel sources (3.16, specifically). Patches being submitted for consideration on the Linux kernel mailing list are not kept here, and are made against the current mainline (3.19 at the time of this writing). If you want those, get them from the mailing list. You probably don't want the below patch unless you're experimenting with a stable (and older) kernel. diff -ruBb linux-3.16.0-orig/fs/binfmt_elf.c linux-3.16.0/fs/binfmt_elf.c --- linux-3.16.0-orig/fs/binfmt_elf.c 2014-08-03 15:25:02.000000000 -0700 +++ linux-3.16.0/fs/binfmt_elf.c 2015-03-01 20:04:12.561648371 -0800 @@ -47,7 +47,7 @@ static int load_elf_binary(struct linux_binprm *bprm); static unsigned long elf_map(struct file *, unsigned long, struct elf_phdr *, - int, int, unsigned long); + int, int, unsigned long, unsigned long); #ifdef CONFIG_USELIB static int load_elf_library(struct file *); @@ -334,7 +334,7 @@ static unsigned long elf_map(struct file *filep, unsigned long addr, struct elf_phdr *eppnt, int prot, int type, - unsigned long total_size) + unsigned long total_size, unsigned long base_offset) { unsigned long map_addr; unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr); @@ -357,11 +357,12 @@ */ if (total_size) { total_size = ELF_PAGEALIGN(total_size); - map_addr = vm_mmap(filep, addr, total_size, prot, type, off); + map_addr = vm_mmap(filep, addr, total_size, prot, type, + off + base_offset); if (!BAD_ADDR(map_addr)) vm_munmap(map_addr+size, total_size-size); } else - map_addr = vm_mmap(filep, addr, size, prot, type, off); + map_addr = vm_mmap(filep, addr, size, prot, type, off + base_offset); return(map_addr); } @@ -394,7 +395,7 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex, struct file *interpreter, unsigned long *interp_map_addr, - unsigned long no_base) + unsigned long no_base, unsigned long base_offset) { struct elf_phdr *elf_phdata; struct elf_phdr *eppnt; @@ -432,7 +433,7 @@ if (!elf_phdata) goto out; - retval = kernel_read(interpreter, interp_elf_ex->e_phoff, + retval = kernel_read(interpreter, interp_elf_ex->e_phoff + base_offset, (char *)elf_phdata, size); error = -EIO; if (retval != size) { @@ -468,7 +469,8 @@ load_addr = -vaddr; map_addr = elf_map(interpreter, load_addr + vaddr, - eppnt, elf_prot, elf_type, total_size); + eppnt, elf_prot, elf_type, total_size, + base_offset); total_size = 0; if (!*interp_map_addr) *interp_map_addr = map_addr; @@ -568,6 +570,94 @@ #endif } +/* + * See if we're a valid FatELF binary, find the right record, and + * load (*elf) with the actual ELF header. Sets (*offset) to the + * base offset of the chosen ELF binary. Returns 0 on success or a negative + * error code. + * If we're not a FatELF binary, (*elf) is loaded with the existing contents + * of (buf) and 0 is returned. + */ +static int examine_fatelf(struct file *file, const char *filename, char *buf, + int buflen, unsigned long *offset, struct elfhdr *elf) +{ + int records, i, rc; + const fatelf_hdr *fatelf = (fatelf_hdr *) buf; + + if (likely(le32_to_cpu(fatelf->magic) != FATELF_MAGIC)) { + *elf = *((struct elfhdr *)buf); /* treat like normal ELF. */ + return 0; /* not a FatELF binary; not an error. */ + } else if (unlikely(le16_to_cpu(fatelf->version) != 1)) { + return -ENOEXEC; /* Unrecognized format version. */ + } + + /* + * In theory, there could be 255 separate records packed into this + * binary, but for now, bprm->buf (128 bytes) holds exactly 5 + * records with the fatelf header, and that seems reasonable for + * most uses. We could add the complexity to read more records later + * if there's a serious need. + */ + records = (int) fatelf->num_records; /* uint8, no byteswap needed */ + + if (unlikely(records > 5)) { + records = 5; /* clamp, in case we find one we can use. */ + } + + for (i = 0; i < records; i++) { + const fatelf_record *record = &fatelf->records[i]; + const __u8 osabi = record->osabi; + const int abiok = likely( likely(osabi == ELFOSABI_NONE) || + unlikely(osabi == ELFOSABI_LINUX) ); + + /* Fill in the data elf_check_arch() might care about. */ + elf->e_ident[EI_OSABI] = record->osabi; + elf->e_ident[EI_CLASS] = record->word_size; + elf->e_ident[EI_DATA] = record->byte_order; + elf->e_machine = le16_to_cpu(record->machine); + + if (likely(!elf_check_arch(elf))) { + continue; /* Unsupported CPU architecture. */ + } else if (unlikely(!abiok)) { + continue; /* Unsupported OS ABI. */ + } else if (unlikely(record->osabi_version != 0)) { + continue; /* Unsupported OS ABI version. */ + } else { + /* We can support this ELF arch/abi. */ + const __u64 rec_offset = le64_to_cpu(record->offset); + const __u64 rec_size = le64_to_cpu(record->size); + const __u64 end_offset = rec_offset + rec_size; + const unsigned long uloff = (unsigned long) rec_offset; + + if (unlikely(end_offset < rec_offset)) { + continue; /* overflow (corrupt file?) */ + } else if (unlikely(ELF_PAGEOFFSET(uloff) != 0)) { + continue; /* bad alignment. */ + } + +#if BITS_PER_LONG == 32 + if (unlikely(end_offset > 0xFFFFFFFF)) { + continue; + } +#endif + + /* replace the FatELF data with the real ELF header. */ + rc = kernel_read(file, uloff, (char*) elf, sizeof(*elf)); + if (unlikely((rc != sizeof(*elf)) && (rc >= 0))) { + rc = -EIO; + } else if (likely(rc == sizeof(*elf))) { + *offset = uloff; + rc = 0; + } + + return rc; + } + } + + return -ENOEXEC; /* no binaries we could use. */ +} + + static int load_elf_binary(struct linux_binprm *bprm) { struct file *interpreter = NULL; /* to shut gcc up */ @@ -579,6 +669,8 @@ unsigned long elf_bss, elf_brk; int retval, i; unsigned int size; + unsigned long base_offset = 0; + unsigned long interp_base_offset = 0; unsigned long elf_entry; unsigned long interp_load_addr = 0; unsigned long start_code, end_code, start_data, end_data; @@ -596,8 +688,11 @@ goto out_ret; } - /* Get the exec-header */ - loc->elf_ex = *((struct elfhdr *)bprm->buf); + retval = examine_fatelf(bprm->file, bprm->filename, bprm->buf, + BINPRM_BUF_SIZE, &base_offset, &loc->elf_ex); + if (unlikely(retval < 0)) { + goto out_ret; + } retval = -ENOEXEC; /* First of all, some simple consistency checks */ @@ -623,7 +718,7 @@ if (!elf_phdata) goto out; - retval = kernel_read(bprm->file, loc->elf_ex.e_phoff, + retval = kernel_read(bprm->file, loc->elf_ex.e_phoff + base_offset, (char *)elf_phdata, size); if (retval != size) { if (retval >= 0) @@ -657,7 +752,8 @@ if (!elf_interpreter) goto out_free_ph; - retval = kernel_read(bprm->file, elf_ppnt->p_offset, + retval = kernel_read(bprm->file, + elf_ppnt->p_offset + base_offset, elf_interpreter, elf_ppnt->p_filesz); if (retval != elf_ppnt->p_filesz) { @@ -690,8 +786,13 @@ goto out_free_dentry; } - /* Get the exec headers */ - loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); + retval = examine_fatelf(interpreter, elf_interpreter, + bprm->buf, BINPRM_BUF_SIZE, + &interp_base_offset, + &loc->interp_elf_ex); + if (unlikely(retval < 0)) { + goto out_free_dentry; + } break; } elf_ppnt++; @@ -818,7 +919,7 @@ } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, - elf_prot, elf_flags, 0); + elf_prot, elf_flags, 0, base_offset); if (BAD_ADDR(error)) { send_sig(SIGKILL, current, 0); retval = IS_ERR((void *)error) ? @@ -899,7 +1000,7 @@ elf_entry = load_elf_interp(&loc->interp_elf_ex, interpreter, &interp_map_addr, - load_bias); + load_bias, interp_base_offset); if (!IS_ERR((void *)elf_entry)) { /* * load_elf_interp() returns relocation @@ -1016,11 +1117,19 @@ unsigned long elf_bss, bss, len; int retval, error, i, j; struct elfhdr elf_ex; + unsigned long base_offset = 0; + char buf[BINPRM_BUF_SIZE]; - error = -ENOEXEC; - retval = kernel_read(file, 0, (char *)&elf_ex, sizeof(elf_ex)); - if (retval != sizeof(elf_ex)) + retval = kernel_read(file, 0, buf, sizeof(buf)); + if (unlikely(retval != sizeof(buf))) { + error = (retval >= 0) ? -EIO : retval; goto out; + } + error = examine_fatelf(file, 0, buf, sizeof(buf), &base_offset, &elf_ex); + if (unlikely(retval < 0)) { + goto out; + } + error = -ENOEXEC; if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0) goto out; @@ -1042,7 +1151,8 @@ eppnt = elf_phdata; error = -ENOEXEC; - retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j); + retval = kernel_read(file, elf_ex.e_phoff + base_offset, + (char *)eppnt, j); if (retval != j) goto out_free_ph; @@ -1063,7 +1173,7 @@ PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, (eppnt->p_offset - - ELF_PAGEOFFSET(eppnt->p_vaddr))); + ELF_PAGEOFFSET(eppnt->p_vaddr)) + base_offset); if (error != ELF_PAGESTART(eppnt->p_vaddr)) goto out_free_ph; diff -ruBb linux-3.16.0-orig/include/uapi/linux/elf.h linux-3.16.0/include/uapi/linux/elf.h --- linux-3.16.0-orig/include/uapi/linux/elf.h 2014-08-03 15:25:02.000000000 -0700 +++ linux-3.16.0/include/uapi/linux/elf.h 2015-03-01 20:02:48.341645861 -0800 @@ -414,4 +414,27 @@ Elf64_Word n_type; /* Content type */ } Elf64_Nhdr; +/* FatELF (multiple ELF binaries in one file) support */ +#define FATELF_MAGIC (0x1F0E70FA) + +typedef struct fatelf_record { + __le16 machine; /* maps to e_machine */ + __u8 osabi; /* maps to e_ident[EI_OSABI] */ + __u8 osabi_version; /* maps to e_ident[EI_ABIVERSION] */ + __u8 word_size; /* maps to e_ident[EI_CLASS] */ + __u8 byte_order; /* maps to e_ident[EI_DATA] */ + __u8 reserved0; + __u8 reserved1; + __le64 offset; + __le64 size; +} fatelf_record; + +typedef struct fatelf_hdr { + __le32 magic; + __le16 version; + __u8 num_records; + __u8 reserved0; + fatelf_record records[]; +} fatelf_hdr; + #endif /* _UAPI_LINUX_ELF_H */ diff -ruBb linux-3.16.0-orig/kernel/module.c linux-3.16.0/kernel/module.c --- linux-3.16.0-orig/kernel/module.c 2015-03-01 19:57:06.000000000 -0800 +++ linux-3.16.0/kernel/module.c 2015-03-01 20:02:48.341645861 -0800 @@ -172,7 +172,8 @@ EXPORT_SYMBOL(unregister_module_notifier); struct load_info { - Elf_Ehdr *hdr; + Elf_Ehdr *hdr_alloc; /* returned from vmalloc */ + Elf_Ehdr *hdr; /* adjusted hdr_alloc for FatELF */ unsigned long len; Elf_Shdr *sechdrs; char *secstrings, *strtab; @@ -2485,6 +2486,61 @@ return 0; } +/* + * See if we're a valid FatELF binary, find the right record, and + * return the offset of that record within the binary. Returns NULL if there's + * a problem, or a pointer to the real ELF header if we're okay. + * If we don't see the FatELF magic number, we assume this is a regular ELF + * binary and let the regular ELF checks handle it. + * + * This is a simplified version of examine_fatelf in fs/binfmt_elf.c + */ +static Elf_Ehdr *examine_fatelf_module(const unsigned char *hdr, + const unsigned long len) +{ + Elf_Ehdr elf; + int records, i; + const fatelf_hdr *fatelf = (const fatelf_hdr *) hdr; + + if (likely(le32_to_cpu(fatelf->magic) != FATELF_MAGIC)) { + return (Elf_Ehdr *) hdr; /* not FatELF; not an error. */ + } else if (unlikely(le16_to_cpu(fatelf->version) != 1)) { + return NULL; /* Unrecognized format version. */ + } + + memset(&elf, 0, sizeof (elf)); + + records = (int) fatelf->num_records; /* uint8, no byteswap needed */ + for (i = 0; i < records; i++) { + const fatelf_record *record = &fatelf->records[i]; + + /* Fill in the data elf_check_arch() might care about. */ + elf.e_ident[EI_OSABI] = record->osabi; + elf.e_ident[EI_CLASS] = record->word_size; + elf.e_ident[EI_DATA] = record->byte_order; + elf.e_machine = le16_to_cpu(record->machine); + + if (likely(!elf_check_arch(&elf))) { + continue; /* Unsupported CPU architecture. */ + } else { + const __u64 rec_offset = le64_to_cpu(record->offset); + const __u64 rec_size = le64_to_cpu(record->size); + const __u64 end_offset = rec_offset + rec_size; + const unsigned long uloff = (unsigned long) rec_offset; + + if (unlikely(end_offset < rec_offset)) { + continue; /* overflow (corrupt file?)... */ + } else if (unlikely(end_offset > len)) { + continue; /* past EOF. */ + } + + return (Elf_Ehdr *) (hdr + uloff); + } + } + + return NULL; /* no binaries we could use. */ +} + /* Sets info->hdr and info->len. */ static int copy_module_from_user(const void __user *umod, unsigned long len, struct load_info *info) @@ -2500,15 +2556,22 @@ return err; /* Suck in entire file: we'll want most of it. */ - info->hdr = vmalloc(info->len); - if (!info->hdr) + info->hdr_alloc = vmalloc(info->len); + if (!info->hdr_alloc) return -ENOMEM; - if (copy_from_user(info->hdr, umod, info->len) != 0) { - vfree(info->hdr); + if (copy_from_user(info->hdr_alloc, umod, info->len) != 0) { + vfree(info->hdr_alloc); return -EFAULT; } + /* returns the actual ELF header (whether or not this was FatELF). */ + info->hdr = examine_fatelf_module((unsigned char *) info->hdr_alloc, info->len); + if (info->hdr == NULL) { + vfree(info->hdr_alloc); + return -ENOEXEC; + } + return 0; } @@ -2543,18 +2606,18 @@ goto out; } - info->hdr = vmalloc(stat.size); - if (!info->hdr) { + info->hdr_alloc = vmalloc(stat.size); + if (!info->hdr_alloc) { err = -ENOMEM; goto out; } pos = 0; while (pos < stat.size) { - bytes = kernel_read(f.file, pos, (char *)(info->hdr) + pos, + bytes = kernel_read(f.file, pos, (char *)(info->hdr_alloc) + pos, stat.size - pos); if (bytes < 0) { - vfree(info->hdr); + vfree(info->hdr_alloc); err = bytes; goto out; } @@ -2564,6 +2627,14 @@ } info->len = pos; + /* returns the actual ELF header (whether or not this was FatELF). */ + info->hdr = examine_fatelf_module((unsigned char *) info->hdr_alloc, info->len); + if (info->hdr == NULL) { + vfree(info->hdr_alloc); + err = -ENOEXEC; + goto out; + } + out: fdput(f); return err; @@ -2571,7 +2642,7 @@ static void free_copy(struct load_info *info) { - vfree(info->hdr); + vfree(info->hdr_alloc); } static int rewrite_section_headers(struct load_info *info, int flags)