[5/8] x86: Increase MIN_GAP to include randomized stack

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
From: gregkh@mini.kroah.org
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Michal Hocko <mhocko@suse.cz>, Jiri Kosina <jkosina@suse.cz>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Chuck Ebbert <cebbert@redhat.com>
Subject: [5/8] x86: Increase MIN_GAP to include randomized stack
Date: Fri, 09 Oct 2009 16:21:28 -0700	[thread overview]
Message-ID: <20091009232234.069019937@mini.kroah.org> (raw)
In-Reply-To: <20091009232300.GA403@kroah.com>

[-- Attachment #1: x86-increase-min_gap-to-include-randomized-stack.patch --]
[-- Type: text/plain, Size: 2076 bytes --]

From: Michal Hocko <mhocko@suse.cz>

[ trivial backport to 2.6.27: Chuck Ebbert <cebbert@redhat.com> ]

commit 80938332d8cf652f6b16e0788cf0ca136befe0b5 upstream.

Currently we are not including randomized stack size when calculating
mmap_base address in arch_pick_mmap_layout for topdown case. This might
cause that mmap_base starts in the stack reserved area because stack is
randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB.

If the stack really grows down to mmap_base then we can get silent mmap
region overwrite by the stack values.

Let's include maximum stack randomization size into MIN_GAP which is
used as the low bound for the gap in mmap.

Signed-off-by: Michal Hocko <mhocko@suse.cz>
LKML-Reference: <1252400515-6866-1-git-send-email-mhocko@suse.cz>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 arch/x86/mm/mmap.c    |   17 +++++++++++++++--
 include/asm-x86/elf.h |    2 ++
 2 files changed, 17 insertions(+), 2 deletions(-)

--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -29,13 +29,26 @@
 #include <linux/random.h>
 #include <linux/limits.h>
 #include <linux/sched.h>
+#include <asm/elf.h>
+
+static unsigned int stack_maxrandom_size(void)
+{
+	unsigned int max = 0;
+	if ((current->flags & PF_RANDOMIZE) &&
+		!(current->personality & ADDR_NO_RANDOMIZE)) {
+		max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
+	}
+
+	return max;
+}
+
 
 /*
  * Top of mmap area (just below the process stack).
  *
- * Leave an at least ~128 MB hole.
+ * Leave an at least ~128 MB hole with possible stack randomization.
  */
-#define MIN_GAP (128*1024*1024)
+#define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
 #define MAX_GAP (TASK_SIZE/6*5)
 
 /*
--- a/include/asm-x86/elf.h
+++ b/include/asm-x86/elf.h
@@ -287,6 +287,8 @@ do {									\
 
 #ifdef CONFIG_X86_32
 
+#define STACK_RND_MASK (0x7ff)
+
 #define VDSO_HIGH_BASE		(__fix_to_virt(FIX_VDSO))
 
 #define ARCH_DLINFO		ARCH_DLINFO_IA32(vdso_enabled)

next prev parent reply	other threads:[~2009-10-09 23:26 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20091009232123.464253035@mini.kroah.org>
2009-10-09 23:23 ` [0/8] 2.6.27.37-stable review Greg KH, gregkh
2009-10-09 23:21   ` [1/8] net: Fix wrong sizeof Greg KH, gregkh
2009-10-09 23:21   ` [2/8] x86-64: slightly stream-line 32-bit syscall entry code Greg KH, gregkh
2009-10-09 23:21   ` [3/8] x86: Dont leak 64-bit kernel register values to 32-bit processes Greg KH, gregkh
2009-10-09 23:21   ` [4/8] eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908) Greg KH, gregkh
2009-10-09 23:21   ` Greg KH, gregkh [this message]
2009-10-09 23:21   ` [6/8] KVM: x86: Disallow hypercalls for guest callers in rings > 0 [CVE-2009-3290] Greg KH, gregkh
2009-10-09 23:21   ` [7/8] [WATCHDOG] hpwdt.c: Add new HP BMC controller Greg KH, gregkh
2009-10-09 23:21   ` [8/8] time: catch xtime_nsec underflows and fix them Greg KH, gregkh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091009232234.069019937@mini.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cebbert@redhat.com \
    --cc=hpa@zytor.com \
    --cc=jkosina@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@suse.cz \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox