[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20170602152010.2064-4-riel@redhat.com>
Date: Fri, 2 Jun 2017 11:20:07 -0400
From: riel@...hat.com
To: linux-kernel@...r.kernel.org
Cc: kernel-hardening@...ts.openwall.com, akpm@...ux-foundation.org,
mingo@...nel.org, oleg@...hat.com, lwoodman@...hat.com,
mhocko@...e.de, danielmicay@...il.com, will.deacon@....com,
benh@...nel.crashing.org
Subject: [PATCH 3/6] x86/mmap: properly account for stack randomization in mmap_base
From: Rik van Riel <riel@...hat.com>
When RLIMIT_STACK is, for example, 256MB, the current code results in
a gap between the top of the task and mmap_base of 256MB, failing to
take into account the amount by which the stack address was randomized.
In other words, the stack gets less than RLIMIT_STACK space.
Ensure that the gap between the stack and mmap_base always takes stack
randomization into account.
>From Daniel Micay's linux-hardened tree.
Reported-by: Florian Weimer <fweimer@...hat.com>
Signed-off-by: Daniel Micay <danielmicay@...il.com>
Signed-off-by: Rik van Riel <riel@...hat.com>
---
arch/x86/mm/mmap.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 19ad095b41df..8c7ba1adb27b 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -95,13 +95,18 @@ unsigned long arch_mmap_rnd(void)
static unsigned long mmap_base(unsigned long rnd, unsigned long task_size)
{
unsigned long gap = rlimit(RLIMIT_STACK);
+ unsigned long pad = stack_maxrandom_size(task_size);
unsigned long gap_min, gap_max;
+ /* Values close to RLIM_INFINITY can overflow. */
+ if (gap + pad > gap)
+ gap += pad;
+
/*
* Top of mmap area (just below the process stack).
* Leave an at least ~128 MB hole with possible stack randomization.
*/
- gap_min = SIZE_128M + stack_maxrandom_size(task_size);
+ gap_min = SIZE_128M;
gap_max = (task_size / 6) * 5;
if (gap < gap_min)
--
2.9.3
Powered by blists - more mailing lists