[v3] ELF: document some de-facto PT_* ABI quirks

  Turns out rules about PT_INTERP, PT_GNU_STACK and PT_GNU_PROPERTY
program headers are slightly different.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

	v3: move to Documentation/userspace-api/
	v2: integrate into documentation build system

 Documentation/userspace-api/ELF.rst   |   34 ++++++++++++++++++++++++++++++++++
 Documentation/userspace-api/index.rst |    1 +
 2 files changed, 35 insertions(+)

new file mode 100644
  

Alexey Dobriyan <adobriyan@gmail.com> writes:

> Turns out rules about PT_INTERP, PT_GNU_STACK and PT_GNU_PROPERTY
> program headers are slightly different.
>
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> ---
>
> 	v3: move to Documentation/userspace-api/
> 	v2: integrate into documentation build system
>
>  Documentation/userspace-api/ELF.rst   |   34 ++++++++++++++++++++++++++++++++++
>  Documentation/userspace-api/index.rst |    1 +
>  2 files changed, 35 insertions(+)

Applied, thanks.

jon
  

*thread necromancy* Question below...

On Sat, Apr 15, 2023 at 08:37:29PM +0300, Alexey Dobriyan wrote:
> Turns out rules about PT_INTERP, PT_GNU_STACK and PT_GNU_PROPERTY
> program headers are slightly different.
> 
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> ---
> 
> 	v3: move to Documentation/userspace-api/
> 	v2: integrate into documentation build system
> 
>  Documentation/userspace-api/ELF.rst   |   34 ++++++++++++++++++++++++++++++++++
>  Documentation/userspace-api/index.rst |    1 +
>  2 files changed, 35 insertions(+)
> 
> new file mode 100644
> --- /dev/null
> +++ b/Documentation/userspace-api/ELF.rst
> @@ -0,0 +1,34 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +=================================
> +Linux-specific ELF idiosyncrasies
> +=================================
> +
> +Definitions
> +===========
> +
> +"First" program header is the one with the smallest offset in the file:
> +e_phoff.
> +
> +"Last" program header is the one with the biggest offset in the file:
> +e_phoff + (e_phnum - 1) * sizeof(Elf_Phdr).
> +
> +PT_INTERP
> +=========
> +
> +First PT_INTERP program header is used to locate the filename of ELF
> +interpreter. Other PT_INTERP headers are ignored (since Linux 2.4.11).
> +
> +PT_GNU_STACK
> +============
> +
> +Last PT_GNU_STACK program header defines userspace stack executability
> +(since Linux 2.6.6). Other PT_GNU_STACK headers are ignored.
> +
> +PT_GNU_PROPERTY
> +===============
> +
> +ELF interpreter's last PT_GNU_PROPERTY program header is used (since
> +Linux 5.8). If interpreter doesn't have one, then the last PT_GNU_PROPERTY
> +program header of an executable is used. Other PT_GNU_PROPERTY headers
> +are ignored.

Should we perhaps solve some of these in some way? What would folks
prefer the behaviors be? (I like to have things been "as expected", but
it's not very obvious here for redundant headers...)
  

Kees Cook <keescook@chromium.org> writes:

> *thread necromancy* Question below...
>
> On Sat, Apr 15, 2023 at 08:37:29PM +0300, Alexey Dobriyan wrote:
>> Turns out rules about PT_INTERP, PT_GNU_STACK and PT_GNU_PROPERTY
>> program headers are slightly different.
>> 
>> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
>> ---
>> 
>> 	v3: move to Documentation/userspace-api/
>> 	v2: integrate into documentation build system
>> 
>>  Documentation/userspace-api/ELF.rst   |   34 ++++++++++++++++++++++++++++++++++
>>  Documentation/userspace-api/index.rst |    1 +
>>  2 files changed, 35 insertions(+)
>> 
>> new file mode 100644
>> --- /dev/null
>> +++ b/Documentation/userspace-api/ELF.rst
>> @@ -0,0 +1,34 @@
>> +.. SPDX-License-Identifier: GPL-2.0
>> +
>> +=================================
>> +Linux-specific ELF idiosyncrasies
>> +=================================
>> +
>> +Definitions
>> +===========
>> +
>> +"First" program header is the one with the smallest offset in the file:
>> +e_phoff.

Confusing e_phoff is the defined location of the array of program
headers.

Perhaps the "First" in that array with the lowest e_phnum?

>> +"Last" program header is the one with the biggest offset in the file:
>> +e_phoff + (e_phnum - 1) * sizeof(Elf_Phdr).

Ditto the "Last" in the array with the largest array index.

I nit pick this because it sounded at first like you were talking about
p_offset.  Which is a value contained in the program header entry.

>> +PT_INTERP
>> +=========
>> +
>> +First PT_INTERP program header is used to locate the filename of ELF
>> +interpreter. Other PT_INTERP headers are ignored (since Linux 2.4.11).
>> +
>> +PT_GNU_STACK
>> +============
>> +
>> +Last PT_GNU_STACK program header defines userspace stack executability
>> +(since Linux 2.6.6). Other PT_GNU_STACK headers are ignored.
>> +
>> +PT_GNU_PROPERTY
>> +===============
>> +
>> +ELF interpreter's last PT_GNU_PROPERTY program header is used (since
>> +Linux 5.8). If interpreter doesn't have one, then the last PT_GNU_PROPERTY
>> +program header of an executable is used. Other PT_GNU_PROPERTY headers
>> +are ignored.

A more interesting property to document is that PT_GNU_PROPERTY must
precede PT_INTERP in the linux implementation, otherwise we ignore it.

> Should we perhaps solve some of these in some way? What would folks
> prefer the behaviors be? (I like to have things been "as expected", but
> it's not very obvious here for redundant headers...)

All of these are really headers that should appear only once.

Quite frankly if we are going to do something with this my sense is that
we should fail the execve with a clear error code as userspace should
not be doing this, and accepting a malformed executable will hide
errors, and perhaps hide someone causing problems.

I really don't think having multiple copies of these headers with
different values is something we should encourage.

It looks like -ELIBBAD is the documented way to fail and report
a bad file format.


For PT_GNU_PROPTERTY perhaps we should accept it anywhere, instead of
silently ignoring it depending upon it's location?

I thinking change the code to talk one pass through the program headers
to identify the interesting headers, and then with the interesting
headers all identified we go do something with them.

Anyway just my opinion, but that is what it feels like to me.

Eric
  

On Thu, Dec 07, 2023 at 09:03:45AM -0600, Eric W. Biederman wrote:
> Kees Cook <keescook@chromium.org> writes:
> 
> > *thread necromancy* Question below...
> >
> > On Sat, Apr 15, 2023 at 08:37:29PM +0300, Alexey Dobriyan wrote:
> >> Turns out rules about PT_INTERP, PT_GNU_STACK and PT_GNU_PROPERTY
> >> program headers are slightly different.
> >> 
> >> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> >> ---
> >> 
> >> 	v3: move to Documentation/userspace-api/
> >> 	v2: integrate into documentation build system
> >> 
> >>  Documentation/userspace-api/ELF.rst   |   34 ++++++++++++++++++++++++++++++++++
> >>  Documentation/userspace-api/index.rst |    1 +
> >>  2 files changed, 35 insertions(+)
> >> 
> >> new file mode 100644
> >> --- /dev/null
> >> +++ b/Documentation/userspace-api/ELF.rst
> >> @@ -0,0 +1,34 @@
> >> +.. SPDX-License-Identifier: GPL-2.0
> >> +
> >> +=================================
> >> +Linux-specific ELF idiosyncrasies
> >> +=================================
> >> +
> >> +Definitions
> >> +===========
> >> +
> >> +"First" program header is the one with the smallest offset in the file:
> >> +e_phoff.
> 
> Confusing e_phoff is the defined location of the array of program
> headers.
> 
> Perhaps the "First" in that array with the lowest e_phnum?
> 
> >> +"Last" program header is the one with the biggest offset in the file:
> >> +e_phoff + (e_phnum - 1) * sizeof(Elf_Phdr).
> 
> Ditto the "Last" in the array with the largest array index.
> 
> I nit pick this because it sounded at first like you were talking about
> p_offset.  Which is a value contained in the program header entry.
> 
> >> +PT_INTERP
> >> +=========
> >> +
> >> +First PT_INTERP program header is used to locate the filename of ELF
> >> +interpreter. Other PT_INTERP headers are ignored (since Linux 2.4.11).
> >> +
> >> +PT_GNU_STACK
> >> +============
> >> +
> >> +Last PT_GNU_STACK program header defines userspace stack executability
> >> +(since Linux 2.6.6). Other PT_GNU_STACK headers are ignored.
> >> +
> >> +PT_GNU_PROPERTY
> >> +===============
> >> +
> >> +ELF interpreter's last PT_GNU_PROPERTY program header is used (since
> >> +Linux 5.8). If interpreter doesn't have one, then the last PT_GNU_PROPERTY
> >> +program header of an executable is used. Other PT_GNU_PROPERTY headers
> >> +are ignored.
> 
> A more interesting property to document is that PT_GNU_PROPERTY must
> precede PT_INTERP in the linux implementation, otherwise we ignore it.
> 
> > Should we perhaps solve some of these in some way? What would folks
> > prefer the behaviors be? (I like to have things been "as expected", but
> > it's not very obvious here for redundant headers...)
> 
> All of these are really headers that should appear only once.

Yes.

> Quite frankly if we are going to do something with this my sense is that
> we should fail the execve with a clear error code as userspace should
> not be doing this, and accepting a malformed executable will hide
> errors, and perhaps hide someone causing problems.

Maybe do it for PT_GNU_PROPERTY which is relatively new.

> I really don't think having multiple copies of these headers with
> different values is something we should encourage.
> 
> It looks like -ELIBBAD is the documented way to fail and report
> a bad file format.

It is obvious you don't know how much will break.

> For PT_GNU_PROPTERTY perhaps we should accept it anywhere, instead of
> silently ignoring it depending upon it's location?
> 
> I thinking change the code to talk one pass through the program headers
> to identify the interesting headers, and then with the interesting
> headers all identified we go do something with them.
> 
> Anyway just my opinion, but that is what it feels like to me.

_Not_ checking for duplicates will result in the simplest and fastest exec.
which is what current code does.
  

Alexey Dobriyan <adobriyan@gmail.com> writes:

> On Thu, Dec 07, 2023 at 09:03:45AM -0600, Eric W. Biederman wrote:
>> Kees Cook <keescook@chromium.org> writes:
>> 
>> > *thread necromancy* Question below...
>> >
>> > On Sat, Apr 15, 2023 at 08:37:29PM +0300, Alexey Dobriyan wrote:
>> >> Turns out rules about PT_INTERP, PT_GNU_STACK and PT_GNU_PROPERTY
>> >> program headers are slightly different.
>> >> 
>> >> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
>> >> ---
>> >> 
>> >> 	v3: move to Documentation/userspace-api/
>> >> 	v2: integrate into documentation build system
>> >> 
>> >>  Documentation/userspace-api/ELF.rst   |   34 ++++++++++++++++++++++++++++++++++
>> >>  Documentation/userspace-api/index.rst |    1 +
>> >>  2 files changed, 35 insertions(+)
>> >> 
>> >> new file mode 100644
>> >> --- /dev/null
>> >> +++ b/Documentation/userspace-api/ELF.rst
>> >> @@ -0,0 +1,34 @@
>> >> +.. SPDX-License-Identifier: GPL-2.0
>> >> +
>> >> +=================================
>> >> +Linux-specific ELF idiosyncrasies
>> >> +=================================
>> >> +
>> >> +Definitions
>> >> +===========
>> >> +
>> >> +"First" program header is the one with the smallest offset in the file:
>> >> +e_phoff.
>> 
>> Confusing e_phoff is the defined location of the array of program
>> headers.
>> 
>> Perhaps the "First" in that array with the lowest e_phnum?
>> 
>> >> +"Last" program header is the one with the biggest offset in the file:
>> >> +e_phoff + (e_phnum - 1) * sizeof(Elf_Phdr).
>> 
>> Ditto the "Last" in the array with the largest array index.
>> 
>> I nit pick this because it sounded at first like you were talking about
>> p_offset.  Which is a value contained in the program header entry.
>> 
>> >> +PT_INTERP
>> >> +=========
>> >> +
>> >> +First PT_INTERP program header is used to locate the filename of ELF
>> >> +interpreter. Other PT_INTERP headers are ignored (since Linux 2.4.11).
>> >> +
>> >> +PT_GNU_STACK
>> >> +============
>> >> +
>> >> +Last PT_GNU_STACK program header defines userspace stack executability
>> >> +(since Linux 2.6.6). Other PT_GNU_STACK headers are ignored.
>> >> +
>> >> +PT_GNU_PROPERTY
>> >> +===============
>> >> +
>> >> +ELF interpreter's last PT_GNU_PROPERTY program header is used (since
>> >> +Linux 5.8). If interpreter doesn't have one, then the last PT_GNU_PROPERTY
>> >> +program header of an executable is used. Other PT_GNU_PROPERTY headers
>> >> +are ignored.
>> 
>> A more interesting property to document is that PT_GNU_PROPERTY must
>> precede PT_INTERP in the linux implementation, otherwise we ignore it.
>> 
>> > Should we perhaps solve some of these in some way? What would folks
>> > prefer the behaviors be? (I like to have things been "as expected", but
>> > it's not very obvious here for redundant headers...)
>> 
>> All of these are really headers that should appear only once.
>
> Yes.
>
>> Quite frankly if we are going to do something with this my sense is that
>> we should fail the execve with a clear error code as userspace should
>> not be doing this, and accepting a malformed executable will hide
>> errors, and perhaps hide someone causing problems.
>
> Maybe do it for PT_GNU_PROPERTY which is relatively new.
>
>> I really don't think having multiple copies of these headers with
>> different values is something we should encourage.
>> 
>> It looks like -ELIBBAD is the documented way to fail and report
>> a bad file format.
>
> It is obvious you don't know how much will break.

My assumption is frankly that nothing will break.  My quick examination
of userspace binaries suggests that nothing is silly enough to duplicate
such headers.

Do you know of a binaries in userspace that duplicate these headers?

Without a documented ordering arguably anything that results in
these headers being duplicated is already buggy, and broken.

I can think of no use for duplicating these headers other than
as some kind of gadget in an exploit.  I don't see how such
a gadget would be useful currently.

>
>> For PT_GNU_PROPTERTY perhaps we should accept it anywhere, instead of
>> silently ignoring it depending upon it's location?
>> 
>> I thinking change the code to talk one pass through the program headers
>> to identify the interesting headers, and then with the interesting
>> headers all identified we go do something with them.
>> 
>> Anyway just my opinion, but that is what it feels like to me.
>
> _Not_ checking for duplicates will result in the simplest and fastest exec.
> which is what current code does.

Given that I/O is involved taking a pre-pass through the headers is
in the noise, and it might even make the code faster as it would
prime the code for the other passes.

The fastest of course would be to have the elf loader only look
at the first of any of these headers.

What got you wanting to document how we handle duplicates?

Eric
  

On Sun, Dec 10, 2023 at 04:58:50PM -0600, Eric W. Biederman wrote:
> Alexey Dobriyan <adobriyan@gmail.com> writes:
> 
> > On Thu, Dec 07, 2023 at 09:03:45AM -0600, Eric W. Biederman wrote:

> >> Quite frankly if we are going to do something with this my sense is that
> >> we should fail the execve with a clear error code as userspace should
> >> not be doing this, and accepting a malformed executable will hide
> >> errors, and perhaps hide someone causing problems.
> >
> > Maybe do it for PT_GNU_PROPERTY which is relatively new.
> >
> >> I really don't think having multiple copies of these headers with
> >> different values is something we should encourage.
> >> 
> >> It looks like -ELIBBAD is the documented way to fail and report
> >> a bad file format.
> >
> > It is obvious you don't know how much will break.
> 
> My assumption is frankly that nothing will break.  My quick examination
> of userspace binaries suggests that nothing is silly enough to duplicate
> such headers.

Ha! Non-overlapping PT_LOAD segments is reasonable requirement (why would
you have them?) but it was reverted.

> Do you know of a binaries in userspace that duplicate these headers?
> 
> Without a documented ordering arguably anything that results in
> these headers being duplicated is already buggy, and broken.
> 
> I can think of no use for duplicating these headers other than
> as some kind of gadget in an exploit.  I don't see how such
> a gadget would be useful currently.
> 
> >
> >> For PT_GNU_PROPTERTY perhaps we should accept it anywhere, instead of
> >> silently ignoring it depending upon it's location?
> >> 
> >> I thinking change the code to talk one pass through the program headers
> >> to identify the interesting headers, and then with the interesting
> >> headers all identified we go do something with them.
> >> 
> >> Anyway just my opinion, but that is what it feels like to me.
> >
> > _Not_ checking for duplicates will result in the simplest and fastest exec.
> > which is what current code does.
> 
> Given that I/O is involved taking a pre-pass through the headers is
> in the noise, and it might even make the code faster as it would
> prime the code for the other passes.

Branches will evict other branches from branch predictor.
And it is always more code.

ELF is very rigid format. E.g segment headers can overlap everything
else and it is not a problem. Overmapped PT_LOAD segments aren't
a problem too (for the kernel).

These things should have been rejected from the very beginning.

I'd even argue kernel rejects too much:

		elf_entry = e_entry;
                if (BAD_ADDR(elf_entry)) {
                        retval = -EINVAL;
                        goto out_free_dentry;
                }

Why even check? If e_entry is bad than process will segfault and that's it.

		elf_ppnt->p_filesz > elf_ppnt->p_memsz

Again, why check, just map the minimum.

> The fastest of course would be to have the elf loader only look
> at the first of any of these headers.
> 
> What got you wanting to document how we handle duplicates?

I read ELF code too much and noticed that loops are slightly different,
that's all.