From: Daniel Cashman <dcashman@android.com>
To: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Russell King - ARM Linux <linux@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>, Arnd Bergmann <arnd@arndb.de>,
Greg KH <gregkh@linuxfoundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ralf Baechle <ralf@linux-mips.org>,
"benh@kernel.crashing.org" <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"David S. Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Nick Kralevich <nnk@google.com>,
Jeffrey Vander Stoep <jeffv@google.com>,
Mark Salyzyn <salyzyn@android.com>
Subject: Re: [PATCH 0/2] Fix mmap_base entropy for >31 bits.
Date: Wed, 24 Feb 2016 12:40:41 -0800 [thread overview]
Message-ID: <56CE1549.1060505@android.com> (raw)
In-Reply-To: <CAGXu5jJoLFjLqSByvegGNRGno+LMZhOikGiktywUw4tLHN6HiQ@mail.gmail.com>
On 02/04/2016 02:29 PM, Kees Cook wrote:
> On Thu, Feb 4, 2016 at 2:06 PM, Daniel Cashman <dcashman@android.com> wrote:
>> Upstream commit: d07e22597d1d355829b7b18ac19afa912cf758d1 added the
>> ability to choose from a range of values to use for entropy count in
>> generating the random offset to the mmap_base address. The
>> maximum value on this range was set to 32 bits for 64-bit x86 systems,
>> but this value could be increased further, requiring more than the 32
>> bits of randomness provided by get_random_int(), as is already possible
>> for arm64. Add a new function: get_random_long() which more naturally
>> fits with the mmap usage of get_random_int() but operates exactly the
>> same as get_random_int().
>>
>> Also, fix the shifting constant in mmap_rnd() to be an unsigned long so
>> that values greater than 31 bits generate an appropriate mask without
>> overflow. This is especially important on x86, as its shift instruction
>> uses a 5-bit mask for the shift operand, which meant that any value for
>> mmap_rnd_bits over 31 acts as a no-op and effectively disables mmap_base
>> randomization.
>>
>> Finally, replace calls to get_random_int() with get_random_long() where
>> appropriate.
>>
>> Daniel Cashman (2):
>> drivers: char: random: Add get_random_long().
>> use get_random_long().
>>
>> arch/arm/mm/mmap.c | 2 +-
>> arch/arm64/mm/mmap.c | 4 ++--
>> arch/mips/mm/mmap.c | 4 ++--
>> arch/powerpc/kernel/process.c | 4 ++--
>> arch/powerpc/mm/mmap.c | 4 ++--
>> arch/sparc/kernel/sys_sparc_64.c | 2 +-
>> arch/x86/mm/mmap.c | 6 +++---
>> drivers/char/random.c | 22 ++++++++++++++++++++++
>> fs/binfmt_elf.c | 2 +-
>> include/linux/random.h | 1 +
>> 10 files changed, 37 insertions(+), 14 deletions(-)
>
> Thanks for fixing this!
>
> Acked-by: Kees Cook <keescook@chromium.org>
>
> -Kees
>
This has now been in linux-next for awhile. Could we please submit this
for the 4.5 rc window so that it fixes the issue in the final 4.5
release? Sorry if this is a protocol breach, but I'm not sure what the
best way is for me to indicate that this is a "fix" that should go out
in the same release as the original feature.
Thank You,
Dan
next prev parent reply other threads:[~2016-02-24 20:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-04 22:06 [PATCH 0/2] Fix mmap_base entropy for >31 bits Daniel Cashman
2016-02-04 22:06 ` [PATCH 1/2] drivers: char: random: Add get_random_long() Daniel Cashman
2016-02-04 22:06 ` [PATCH 2/2] use get_random_long() Daniel Cashman
2016-02-04 22:38 ` Kees Cook
2016-02-04 22:29 ` [PATCH 0/2] Fix mmap_base entropy for >31 bits Kees Cook
2016-02-24 20:40 ` Daniel Cashman [this message]
2016-02-24 21:50 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56CE1549.1060505@android.com \
--to=dcashman@android.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jeffv@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=nnk@google.com \
--cc=paulus@samba.org \
--cc=ralf@linux-mips.org \
--cc=salyzyn@android.com \
--cc=tglx@linutronix.de \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.