[PATCH] limit max map count to safe value under ELF v2

From: KAMEZAWA Hiroyuki
Date: Mon Jun 22 2009 - 02:38:05 EST

This is a replacement for

I think all necessary info are written in comments..

From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx>

With ELF, at generating coredump, some more headers other than used vmas
are added.
When, max_map_count == 65536, a core generated by following kinds of
code can be unreadable because the number of ELF's program header is
written in 16bit in Ehdr (please see elf.h) and the number overflows.
... = mmap(); (munmap, mprotect, etc...)
if (failed)
This can be happen in mmap/munmap/mprotect/etc...which calls

I think 65536 is not safe as _default_ and reduce it to 65530 is good
for avoiding unexpected corrupted core.

Anyway, max_map_count can be enlarged by sysctl if a user is brave..

Changelog: v1 -> v2
- set limit to 65530
- added more comments for explaining the reason of value.

Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx>
fs/binfmt_elf.c | 5 ++++-
include/linux/sched.h | 16 ++++++++++++++--
2 files changed, 18 insertions(+), 3 deletions(-)

Index: linux-2.6.30-git18/include/linux/sched.h
--- linux-2.6.30-git18.orig/include/linux/sched.h
+++ linux-2.6.30-git18/include/linux/sched.h
@@ -349,8 +349,20 @@ extern int mutex_spin_on_owner(struct mu
struct nsproxy;
struct user_namespace;

-/* Maximum number of active map areas.. This is a random (large) number */
-#define DEFAULT_MAX_MAP_COUNT 65536
+ * Default maximum number of active map areas, this limits the number of vmas
+ * per mm struct. Users can overwrite this number by sysctl but there is a
+ * problem.
+ *
+ * When a program's coredump is generated as ELF format, a section is created
+ * per a vma. In ELF, the number of sections is represented in unsigned short.
+ * This means the number of sections should be smaller than 65535 at coredump.
+ * Because the kernel adds some informative sections to a image of program at
+ * generating coredump, we need some margin. The number of extra sections is
+ * 1-3 now and depends on arch. We use "5" as safe margin, here.
+ */

extern int sysctl_max_map_count;

Index: linux-2.6.30-git18/fs/binfmt_elf.c
--- linux-2.6.30-git18.orig/fs/binfmt_elf.c
+++ linux-2.6.30-git18/fs/binfmt_elf.c
@@ -1929,7 +1929,10 @@ static int elf_core_dump(long signr, str
elf = kmalloc(sizeof(*elf), GFP_KERNEL);
if (!elf)
goto out;
+ /*
+ * The number of segs are recored into ELF header as 16bit value.
+ * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
+ */
segs = current->mm->map_count;

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/