| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0708221750340.7792@jikos.suse.cz>
Date: Wed, 22 Aug 2007 18:05:01 +0200 (CEST)
From: Jiri Kosina <jkosina@...e.cz>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, Ingo Molnar <mingo@...e.hu>,
Jakub Jelinek <jakub@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Andi Kleen <ak@...e.de>,
Kees Cook <kees@...flux.net>,
Arjan van de Ven <arjan@...radead.org>
Subject: [PATCH] i386 and x86_64: randomize brk()
From: Jiri Kosina <jkosina@...e.cz>
i386 and x86_64: randomize brk()
This patch randomizes the location of the heap (brk) for i386 and x86_64.
The range is randomized in the range starting at current brk location up
to 0x02000000 offset on both architectures. This, together with
pie-executable-randomization.patch and
pie-executable-randomization-fix.patch, should make the address space
randomization on i386 and x86_64 complete (modulo vDSO randomization).
The code is based on execshield code written by Ingo Molnar.
Cc: Ingo Molnar <mingo@...e.hu>
Cc: Jakub Jelinek <jakub@...hat.com>
Cc: H. Peter Anvin <hpa@...or.com>
Cc: Andi Kleen <ak@...e.de>
Cc: Kees Cook <kees@...flux.net>
Cc: Arjan van de Ven <arjan@...radead.org>
Signed-off-by: Jiri Kosina <jkosina@...e.cz>
diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
index 8466471..21edde5 100644
--- a/arch/i386/kernel/process.c
+++ b/arch/i386/kernel/process.c
@@ -949,3 +949,15 @@ unsigned long arch_align_stack(unsigned long sp)
sp -= get_random_int() % 8192;
return sp & ~0xf;
}
+
+void arch_randomize_brk(void)
+{
+ unsigned long new_brk, range_start, range_end;
+
+ range_start = current->mm->brk;
+ range_end = range_start + 0x02000000;
+ new_brk = randomize_range(range_start, range_end, 0);
+ if (new_brk)
+ current->mm->brk = current->mm->start_brk = new_brk;
+}
+
diff --git a/arch/x86_64/kernel/process.c b/arch/x86_64/kernel/process.c
index 2842f50..37613f3 100644
--- a/arch/x86_64/kernel/process.c
+++ b/arch/x86_64/kernel/process.c
@@ -902,3 +902,15 @@ unsigned long arch_align_stack(unsigned long sp)
sp -= get_random_int() % 8192;
return sp & ~0xf;
}
+
+void arch_randomize_brk(void)
+{
+ unsigned long new_brk, range_start, range_end;
+
+ range_start = current->mm->brk;
+ range_end = range_start + 0x02000000;
+ new_brk = randomize_range(range_start, range_end, 0);
+ if (new_brk)
+ current->mm->brk = current->mm->start_brk = new_brk;
+}
+
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index d65f1d9..790b09e 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1073,6 +1073,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
current->mm->end_data = end_data;
current->mm->start_stack = bprm->p;
+#ifdef ARCH_HAS_RANDOMIZE_BRK
+ if (current->flags & PF_RANDOMIZE)
+ arch_randomize_brk();
+#endif
+
if (current->personality & MMAP_PAGE_ZERO) {
/* Why this, you ask??? Well SVr4 maps page 0 as read-only,
and some applications "depend" upon this behavior.
diff --git a/include/asm-i386/elf.h b/include/asm-i386/elf.h
index b32df3a..34752bc 100644
--- a/include/asm-i386/elf.h
+++ b/include/asm-i386/elf.h
@@ -160,4 +160,7 @@ do if (vdso_enabled) { \
#endif
+#define ARCH_HAS_RANDOMIZE_BRK
+extern void arch_randomize_brk(void);
+
#endif
diff --git a/include/asm-x86_64/elf.h b/include/asm-x86_64/elf.h
index b4fbe47..ec56e67 100644
--- a/include/asm-x86_64/elf.h
+++ b/include/asm-x86_64/elf.h
@@ -177,4 +177,7 @@ do if (vdso_enabled) { \
#endif
+#define ARCH_HAS_RANDOMIZE_BRK
+extern void arch_randomize_brk(void);
+
#endif
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists