lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Sep 2009 09:32:31 +0200 From: Michal Hocko <mhocko@...e.cz> To: Jiri Kosina <jkosina@...e.cz>, Ingo Molnar <mingo@...hat.com> Cc: x86@...nel.org, linux-kernel@...r.kernel.org, "H . Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH v2] x86: increase MIN_GAP to include randomized stack On Mon 07-09-09 17:18:44, Jiri Kosina wrote: > On Fri, 4 Sep 2009, Michal Hocko wrote: > > > Currently we are not including randomized stack size when calculating > > mmap_base address in arch_pick_mmap_layout for topdown case. This might > > cause that mmap_base starts in the stack reserved area because stack is > > randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB. > > > > If the stack really grows down to mmap_base then we can get silent mmap > > region overwrite by the stack values. > > > > Let's include maximum stack randomization size into MIN_GAP which is > > used as the low bound for the gap in mmap. > > > > Signed-off-by: Michal Hocko <mhocko@...e.cz> > > --- > > arch/x86/mm/mmap.c | 21 +++++++++++++++++++-- > > 1 files changed, 19 insertions(+), 2 deletions(-) > > > > I wasn't sure about STACK_RND_MASK because it is defined also in > > arch/x86/include/asm/elf.h and I couldn't find a common header file for > > both of them. If you have any idea I would like to help with that. > > Or should we just let it for later cleanup? > > What will break if we include <asm/elf.h> from mmap.c? I have tried that and as far as compilation went it was OK... Except for one thing which I haven't noticed before as well. STACK_RND_MASK is not defined outside of CONFIG_X86_64 (in <arch/elf.h>). One possible way to fix this is to update the original patch with: diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c index ac41955..a4566a8 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c @@ -32,7 +32,11 @@ /* 1GB for 64bit, 8MB for 32bit definition taken from arch/x86/include/asm/elf.h */ #ifndef STACK_RND_MASK +#ifdef CONFIG_X86_64 #define STACK_RND_MASK (test_thread_flag(TIF_IA32) ? 0x7ff : 0x3fffff) +#else +#define STACK_RND_MASK (0x7ff) +#endif #endif static unsigned int stack_maxrandom_size(void) This, however, doesn't look very nice. If there is no objection I would define STACK_RND_MASK in <arch/elf.h> also out of CONFIG_X86_64 and remove this definition from mmap.c completely. What do you think? > > > I think that this is also stable material and I will repost it to > > stable@...nel.org once you ack it. > > > > Changes from v1: > > Fixed unsigned int overflow in MIN_GAP calculation. > > > > > > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c > > index 1658296..ac41955 100644 > > --- a/arch/x86/mm/mmap.c > > +++ b/arch/x86/mm/mmap.c > > @@ -30,12 +30,29 @@ > > #include <linux/limits.h> > > #include <linux/sched.h> > > > > +/* 1GB for 64bit, 8MB for 32bit definition taken from arch/x86/include/asm/elf.h */ > > +#ifndef STACK_RND_MASK > > +#define STACK_RND_MASK (test_thread_flag(TIF_IA32) ? 0x7ff : 0x3fffff) > > +#endif > > + > > +static unsigned int stack_maxrandom_size(void) > > +{ > > + unsigned int max = 0; > > + if ((current->flags & PF_RANDOMIZE) && > > + !(current->personality & ADDR_NO_RANDOMIZE)) { > > + max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; > > + } > > + > > + return max; > > +} > > + > > + > > /* > > * Top of mmap area (just below the process stack). > > * > > - * Leave an at least ~128 MB hole. > > + * Leave an at least ~128 MB hole with possible stack randomization. > > */ > > -#define MIN_GAP (128*1024*1024) > > +#define MIN_GAP (128*1024*1024UL + stack_maxrandom_size()) > > #define MAX_GAP (TASK_SIZE/6*5) > > Apart from doubling the STACK_RND_MASK definition > > Acked-by: Jiri Kosina <jkosina@...e.cz> > > Thanks, > > -- > Jiri Kosina > SUSE Labs -- Michal Hocko L3 team SUSE LINUX s.r.o. Lihovarska 1060/12 190 00 Praha 9 Czech Republic -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists