[PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE

All of lore.kernel.org
 help / color / mirror / Atom feed

From: a.ryabinin@samsung.com (Andrey Ryabinin)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE
Date: Thu, 26 Mar 2015 18:19:09 +0300	[thread overview]
Message-ID: <5514236D.50808@samsung.com> (raw)
In-Reply-To: <20150326150558.GK8656@n2100.arm.linux.org.uk>

On 03/26/2015 06:05 PM, Russell King - ARM Linux wrote:
> On Fri, Mar 20, 2015 at 02:12:52PM +0300, Andrey Ryabinin wrote:
>> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
>> split this is not so, because 2*TASK_SIZE overflows 32 bits,
>> so the actual value of ELF_ET_DYN_BASE is:
>> 	(2 * TASK_SIZE / 3) = 0x2a000000
>>
>> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
>> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
>> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
>> as it fails to map shadow memory.
>> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
>> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
>> even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
>>
>> Fix overflow by dividing TASK_SIZE prior to multiplying.
>> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
>> 	(TASK_SIZE / 3 * 2) = 0x7f555554
>>
>> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
>>
>> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
>> Reported-by: Maria Guseva <m.guseva@samsung.com>
>> Cc: stable at vger.kernel.org
> 
> Who's handling this patch?  I'm guessing it should be me, so if it could
> find its way into my patch system for when I next apply a bunch of patches,
> that'd be good.
> 

It's already there. Patch number - 8320/1.

WARNING: multiple messages have this Message-ID (diff)

From: Andrey Ryabinin <a.ryabinin@samsung.com>
To: Russell King - ARM Linux <linux@arm.linux.org.uk>
Cc: Kees Cook <keescook@chromium.org>,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, Maria Guseva <m.guseva@samsung.com>,
	Yury Gribov <y.gribov@samsung.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE
Date: Thu, 26 Mar 2015 18:19:09 +0300	[thread overview]
Message-ID: <5514236D.50808@samsung.com> (raw)
In-Reply-To: <20150326150558.GK8656@n2100.arm.linux.org.uk>

On 03/26/2015 06:05 PM, Russell King - ARM Linux wrote:
> On Fri, Mar 20, 2015 at 02:12:52PM +0300, Andrey Ryabinin wrote:
>> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
>> split this is not so, because 2*TASK_SIZE overflows 32 bits,
>> so the actual value of ELF_ET_DYN_BASE is:
>> 	(2 * TASK_SIZE / 3) = 0x2a000000
>>
>> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
>> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
>> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
>> as it fails to map shadow memory.
>> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
>> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
>> even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
>>
>> Fix overflow by dividing TASK_SIZE prior to multiplying.
>> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
>> 	(TASK_SIZE / 3 * 2) = 0x7f555554
>>
>> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
>>
>> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
>> Reported-by: Maria Guseva <m.guseva@samsung.com>
>> Cc: stable@vger.kernel.org
> 
> Who's handling this patch?  I'm guessing it should be me, so if it could
> find its way into my patch system for when I next apply a bunch of patches,
> that'd be good.
> 

It's already there. Patch number - 8320/1.

next prev parent reply	other threads:[~2015-03-26 15:19 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-20 11:12 [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE Andrey Ryabinin
2015-03-20 11:12 ` Andrey Ryabinin
2015-03-20 11:31 ` Yury Gribov
2015-03-20 11:31   ` Yury Gribov
2015-03-20 11:42   ` Andrey Ryabinin
2015-03-20 11:42     ` Andrey Ryabinin
2015-03-23 18:16 ` Kees Cook
2015-03-23 18:16   ` Kees Cook
2015-03-26 15:05 ` Russell King - ARM Linux
2015-03-26 15:05   ` Russell King - ARM Linux
2015-03-26 15:19   ` Andrey Ryabinin [this message]
2015-03-26 15:19     ` Andrey Ryabinin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5514236D.50808@samsung.com \
    --to=a.ryabinin@samsung.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.