From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hector Marco-Gisbert <hecmargi@upv.es>,
Ismael Ripoll <iripoll@upv.es>, Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>, Borislav Petkov <bp@suse.de>
Subject: [PATCH 3.10 53/53] x86, mm/ASLR: Fix stack randomization on 64-bit systems
Date: Tue, 3 Mar 2015 22:06:56 -0800 [thread overview]
Message-ID: <20150304054618.647806161@linuxfoundation.org> (raw)
In-Reply-To: <20150304054609.869052846@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hector Marco-Gisbert <hecmargi@upv.es>
commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.
The issue is that the stack for processes is not properly randomized on
64 bit architectures due to an integer overflow.
The affected function is randomize_stack_top() in file
"fs/binfmt_elf.c":
static unsigned long randomize_stack_top(unsigned long stack_top)
{
unsigned int random_variable = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
random_variable = get_random_int() & STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
}
return PAGE_ALIGN(stack_top) + random_variable;
return PAGE_ALIGN(stack_top) - random_variable;
}
Note that, it declares the "random_variable" variable as "unsigned int".
Since the result of the shifting operation between STACK_RND_MASK (which
is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
random_variable <<= PAGE_SHIFT;
then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold
the (22+12) result.
These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to
2^30 (One fourth of expected entropy).
This patch restores back the entropy by correcting the types involved
in the operations in the functions randomize_stack_top() and
stack_maxrandom_size().
The successful fix can be tested with:
$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
...
Once corrected, the leading bytes should be between 7ffc and 7fff,
rather than always being 7fff.
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: CVE-2015-1593
Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/mmap.c | 6 +++---
fs/binfmt_elf.c | 5 +++--
2 files changed, 6 insertions(+), 5 deletions(-)
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_ali
.flags = -1,
};
-static unsigned int stack_maxrandom_size(void)
+static unsigned long stack_maxrandom_size(void)
{
- unsigned int max = 0;
+ unsigned long max = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
}
return max;
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -552,11 +552,12 @@ out:
static unsigned long randomize_stack_top(unsigned long stack_top)
{
- unsigned int random_variable = 0;
+ unsigned long random_variable = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
- random_variable = get_random_int() & STACK_RND_MASK;
+ random_variable = (unsigned long) get_random_int();
+ random_variable &= STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
}
#ifdef CONFIG_STACK_GROWSUP
next prev parent reply other threads:[~2015-03-04 6:14 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-04 6:06 [PATCH 3.10 00/53] 3.10.71-stable review Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 01/53] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 02/53] xfs: ensure buffer types are set correctly Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 03/53] xfs: inode unlink does not set AGI buffer type Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 04/53] xfs: set superblock buffer type correctly Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 05/53] fsnotify: fix handling of renames in audit Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 06/53] iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 07/53] iwlwifi: mvm: validate tid and sta_id in ba_notif Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 08/53] iwlwifi: mvm: fix failure path when power_update fails in add_interface Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 09/53] iwlwifi: mvm: always use mac color zero Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 10/53] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 11/53] PCI: Generate uppercase hex for modalias var in uevent Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 14/53] [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 15/53] ALSA: off by one bug in snd_riptide_joystick_probe() Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 16/53] ALSA: hdspm - Constrain periods to 2 on older cards Greg Kroah-Hartman
2015-03-04 10:03 ` Adrian Knoth
2015-03-04 18:19 ` Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 17/53] power_supply: 88pm860x: Fix leaked power supply on probe fail Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 18/53] mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 19/53] nfs: dont call blocking operations while !TASK_RUNNING Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 20/53] MIPS: KVM: Deliver guest interrupts after local_irq_disable() Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 21/53] tracing: Fix unmapping loop in tracing_mark_write Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 22/53] ARM: 8284/1: sa1100: clear RCSR_SMR on resume Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 23/53] tpm_tis: verify interrupt during init Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 24/53] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 25/53] tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 26/53] Added Little Endian support to vtpm module Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 27/53] NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 28/53] iscsi-target: Drop problematic active_ts_list usage Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 29/53] cfq-iosched: handle failure of cfq group allocation Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 30/53] cfq-iosched: fix incorrect filing of rt async cfqq Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 31/53] axonram: Fix bug in direct_access Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 32/53] tty: Prevent untrappable signals from malicious program Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 33/53] USB: cp210x: add ID for RUGGEDCOM USB Serial Console Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 34/53] USB: fix use-after-free bug in usb_hcd_unlink_urb() Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 35/53] usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 36/53] vt: provide notifications on selection changes Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 37/53] ARM: pxa: add regulator_has_full_constraints to corgi board file Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 38/53] ARM: pxa: add regulator_has_full_constraints to poodle " Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 39/53] kdb: fix incorrect counts in KDB summary command output Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 40/53] ntp: Fixup adjtimex freq validation on 32-bit systems Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 41/53] ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 42/53] KVM: s390: floating irqs: fix user triggerable endless loop Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 43/53] KVM: MIPS: Dont leak FPU/DSP to guest Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 44/53] KVM: x86: update masterclock values on TSC writes Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 45/53] hx4700: regulator: declare full constraints Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 46/53] arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 47/53] gpio: tps65912: fix wrong container_of arguments Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 48/53] metag: Fix KSTK_EIP() and KSTK_ESP() macros Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 49/53] md/raid5: Fix livelock when array is both resyncing and degraded Greg Kroah-Hartman
2015-03-04 14:09 ` Jes Sorensen
2015-03-04 6:06 ` [PATCH 3.10 51/53] jffs2: fix handling of corrupted summary length Greg Kroah-Hartman
2015-03-04 6:06 ` [PATCH 3.10 52/53] blk-throttle: check stats_cpu before reading it from sysfs Greg Kroah-Hartman
2015-03-04 6:06 ` Greg Kroah-Hartman [this message]
2015-03-04 14:08 ` [PATCH 3.10 00/53] 3.10.71-stable review Guenter Roeck
2015-03-04 14:20 ` Luis Henriques
2015-03-04 14:20 ` Luis Henriques
2015-03-04 18:16 ` Greg Kroah-Hartman
2015-03-04 23:40 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150304054618.647806161@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=bp@suse.de \
--cc=hecmargi@upv.es \
--cc=iripoll@upv.es \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.