lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <201103010921.57716.ludwig.nussel@suse.de>
Date:	Tue, 1 Mar 2011 09:21:57 +0100
From:	Ludwig Nussel <ludwig.nussel@...e.de>
To:	Randy Dunlap <rdunlap@...otime.net>
Cc:	linux-kernel@...r.kernel.org,
	Thomas Gleixner (maintainer:X86 ARCHITECTURE...) 
	<tglx@...utronix.de>,
	Ingo Molnar (maintainer:X86 ARCHITECTURE...) <mingo@...hat.com>,
	"H. Peter Anvin" (maintainer:X86 ARCHITECTURE...) <hpa@...or.com>,
	"maintainer:X86 ARCHITECTURE..." <x86@...nel.org>
Subject: Re: [PATCH] fix mmap random address range on x86 (try2)

Randy Dunlap wrote:
> On Mon, 28 Feb 2011 15:53:03 +0100 Ludwig Nussel wrote:
> > On x86 casting the unsigned int result of get_random_int() to long
> > may result in a negative value. On x86 the range of mmap_rnd()
> > therefore was -255 to 255. The 32bit mode on x86_64 used 0 to 255 as
> > intended.
> > 
> > The bug was introduced by commit 675a081 in January 2008.
> > 
> > Signed-off-by: Ludwig Nussel <ludwig.nussel@...e.de>
> > ---
> >  arch/x86/mm/mmap.c |    4 ++--
> >  1 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
> > index 1dab519..f927429 100644
> > --- a/arch/x86/mm/mmap.c
> > +++ b/arch/x86/mm/mmap.c
> > @@ -87,9 +87,9 @@ static unsigned long mmap_rnd(void)
> >  	*/
> >  	if (current->flags & PF_RANDOMIZE) {
> >  		if (mmap_is_ia32())
> > -			rnd = (long)get_random_int() % (1<<8);
> > +			rnd = get_random_int() % (1<<8);
> >  		else
> > -			rnd = (long)(get_random_int() % (1<<28));
> > +			rnd = get_random_int() % (1<<28);
> >  	}
> >  	return rnd << PAGE_SHIFT;
> >  }
> 
> Is there a test case for this?
> Can it be tested/checked/observed?

Sure. The attached program prints the address of the main function
to stdout. Compile it for i586, run it several times in a loop and
count the number of distinct addresses.

x86_64:
$ gcc -g -O2 -Wall -fpie -pie -m32 -o mainaddr mainaddr.c && for ((i=0;i<5000;++i)); do ./mainaddr; done | sort -u | wc -l
256

On native i586 without the patch the result is 511

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

View attachment "mainaddr.c" of type "text/x-csrc" (109 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ