From: y.gribov@samsung.com (Yury Gribov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE
Date: Fri, 20 Mar 2015 14:31:15 +0300 [thread overview]
Message-ID: <550C0503.3000207@samsung.com> (raw)
In-Reply-To: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com>
On 03/20/2015 02:12 PM, Andrey Ryabinin wrote:
> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
> split this is not so, because 2*TASK_SIZE overflows 32 bits,
> so the actual value of ELF_ET_DYN_BASE is:
> (2 * TASK_SIZE / 3) = 0x2a000000
AFAIK on most platforms (e.g. Intel) that's (TASK_SIZE / 3 * 2) so ARM
is kind of special here.
>
> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
> as it fails to map shadow memory.
> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
> even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
>
> Fix overflow by dividing TASK_SIZE prior to multiplying.
> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
> (TASK_SIZE / 3 * 2) = 0x7f555554
>
> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
Perhaps we should fix other platforms as well?
-Y
WARNING: multiple messages have this Message-ID (diff)
From: Yury Gribov <y.gribov@samsung.com>
To: Andrey Ryabinin <a.ryabinin@samsung.com>,
Russell King <linux@arm.linux.org.uk>
Cc: Kees Cook <keescook@chromium.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Maria Guseva <m.guseva@samsung.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE
Date: Fri, 20 Mar 2015 14:31:15 +0300 [thread overview]
Message-ID: <550C0503.3000207@samsung.com> (raw)
In-Reply-To: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com>
On 03/20/2015 02:12 PM, Andrey Ryabinin wrote:
> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
> split this is not so, because 2*TASK_SIZE overflows 32 bits,
> so the actual value of ELF_ET_DYN_BASE is:
> (2 * TASK_SIZE / 3) = 0x2a000000
AFAIK on most platforms (e.g. Intel) that's (TASK_SIZE / 3 * 2) so ARM
is kind of special here.
>
> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
> as it fails to map shadow memory.
> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
> even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
>
> Fix overflow by dividing TASK_SIZE prior to multiplying.
> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
> (TASK_SIZE / 3 * 2) = 0x7f555554
>
> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
Perhaps we should fix other platforms as well?
-Y
next prev parent reply other threads:[~2015-03-20 11:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-20 11:12 [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE Andrey Ryabinin
2015-03-20 11:12 ` Andrey Ryabinin
2015-03-20 11:31 ` Yury Gribov [this message]
2015-03-20 11:31 ` Yury Gribov
2015-03-20 11:42 ` Andrey Ryabinin
2015-03-20 11:42 ` Andrey Ryabinin
2015-03-23 18:16 ` Kees Cook
2015-03-23 18:16 ` Kees Cook
2015-03-26 15:05 ` Russell King - ARM Linux
2015-03-26 15:05 ` Russell King - ARM Linux
2015-03-26 15:19 ` Andrey Ryabinin
2015-03-26 15:19 ` Andrey Ryabinin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=550C0503.3000207@samsung.com \
--to=y.gribov@samsung.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.