| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Sep 2009 09:32:31 +0200
From: Michal Hocko <mhocko@...e.cz>
To: Jiri Kosina <jkosina@...e.cz>, Ingo Molnar <mingo@...hat.com>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org,
"H . Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v2] x86: increase MIN_GAP to include randomized stack
On Mon 07-09-09 17:18:44, Jiri Kosina wrote:
> On Fri, 4 Sep 2009, Michal Hocko wrote:
>
> > Currently we are not including randomized stack size when calculating
> > mmap_base address in arch_pick_mmap_layout for topdown case. This might
> > cause that mmap_base starts in the stack reserved area because stack is
> > randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB.
> >
> > If the stack really grows down to mmap_base then we can get silent mmap
> > region overwrite by the stack values.
> >
> > Let's include maximum stack randomization size into MIN_GAP which is
> > used as the low bound for the gap in mmap.
> >
> > Signed-off-by: Michal Hocko <mhocko@...e.cz>
> > ---
> > arch/x86/mm/mmap.c | 21 +++++++++++++++++++--
> > 1 files changed, 19 insertions(+), 2 deletions(-)
> >
> > I wasn't sure about STACK_RND_MASK because it is defined also in
> > arch/x86/include/asm/elf.h and I couldn't find a common header file for
> > both of them. If you have any idea I would like to help with that.
> > Or should we just let it for later cleanup?
>
> What will break if we include <asm/elf.h> from mmap.c?
I have tried that and as far as compilation went it was OK... Except for
one thing which I haven't noticed before as well. STACK_RND_MASK is not
defined outside of CONFIG_X86_64 (in <arch/elf.h>).
One possible way to fix this is to update the original patch with:
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index ac41955..a4566a8 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -32,7 +32,11 @@
/* 1GB for 64bit, 8MB for 32bit definition taken from arch/x86/include/asm/elf.h */
#ifndef STACK_RND_MASK
+#ifdef CONFIG_X86_64
#define STACK_RND_MASK (test_thread_flag(TIF_IA32) ? 0x7ff : 0x3fffff)
+#else
+#define STACK_RND_MASK (0x7ff)
+#endif
#endif
static unsigned int stack_maxrandom_size(void)
This, however, doesn't look very nice. If there is no objection I would
define STACK_RND_MASK in <arch/elf.h> also out of CONFIG_X86_64 and
remove this definition from mmap.c completely. What do you think?
>
> > I think that this is also stable material and I will repost it to
> > stable@...nel.org once you ack it.
> >
> > Changes from v1:
> > Fixed unsigned int overflow in MIN_GAP calculation.
> >
> >
> > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
> > index 1658296..ac41955 100644
> > --- a/arch/x86/mm/mmap.c
> > +++ b/arch/x86/mm/mmap.c
> > @@ -30,12 +30,29 @@
> > #include <linux/limits.h>
> > #include <linux/sched.h>
> >
> > +/* 1GB for 64bit, 8MB for 32bit definition taken from arch/x86/include/asm/elf.h */
> > +#ifndef STACK_RND_MASK
> > +#define STACK_RND_MASK (test_thread_flag(TIF_IA32) ? 0x7ff : 0x3fffff)
> > +#endif
> > +
> > +static unsigned int stack_maxrandom_size(void)
> > +{
> > + unsigned int max = 0;
> > + if ((current->flags & PF_RANDOMIZE) &&
> > + !(current->personality & ADDR_NO_RANDOMIZE)) {
> > + max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
> > + }
> > +
> > + return max;
> > +}
> > +
> > +
> > /*
> > * Top of mmap area (just below the process stack).
> > *
> > - * Leave an at least ~128 MB hole.
> > + * Leave an at least ~128 MB hole with possible stack randomization.
> > */
> > -#define MIN_GAP (128*1024*1024)
> > +#define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
> > #define MAX_GAP (TASK_SIZE/6*5)
>
> Apart from doubling the STACK_RND_MASK definition
>
> Acked-by: Jiri Kosina <jkosina@...e.cz>
>
> Thanks,
>
> --
> Jiri Kosina
> SUSE Labs
--
Michal Hocko
L3 team
SUSE LINUX s.r.o.
Lihovarska 1060/12
190 00 Praha 9
Czech Republic
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists