From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751241AbbCTLbK (ORCPT <rfc822;w@1wt.eu>);
	Fri, 20 Mar 2015 07:31:10 -0400
Received: from mailout3.w1.samsung.com ([210.118.77.13]:8204 "EHLO
	mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750777AbbCTLbH (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 20 Mar 2015 07:31:07 -0400
X-AuditID: cbfec7f5-b7fc86d0000066b7-df-550c0450e664
Message-id: <550C0503.3000207@samsung.com>
Date: Fri, 20 Mar 2015 14:31:15 +0300
From: Yury Gribov <y.gribov@samsung.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
 Thunderbird/31.5.0
MIME-version: 1.0
To: Andrey Ryabinin <a.ryabinin@samsung.com>,
        Russell King <linux@arm.linux.org.uk>
Cc: Kees Cook <keescook@chromium.org>, linux-arm-kernel@lists.infradead.org,
        linux-kernel@vger.kernel.org, Maria Guseva <m.guseva@samsung.com>,
        stable@vger.kernel.org
Subject: Re: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE
References: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com>
In-reply-to: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com>
Content-type: text/plain; charset=windows-1252; format=flowed
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJLMWRmVeSWpSXmKPExsVy+t/xK7oBLDyhBi/PaVps+/WIzeJMd67F
	psfXWC0u75rDZnH7Mq/FgjvfmSwWbHzE6MDu0dLcw+Yxu+Eii8fmJfUefVtWMXp83iQXwBrF
	ZZOSmpNZllqkb5fAlbH43Rrmgo2cFX9f72RtYLzC3sXIySEhYCJx4eZqFghbTOLCvfVsXYxc
	HEICSxkljj19zQaSEBL4yChxdV4KiM0roCUx++9ZJhCbRUBVYn77Y7BmNgENia6FjUBxDg5R
	gQiJ25c5IcoFJX5MvgdWIiIQKjFvzQOwVmaBVYwSxy/ag9jCAo4Ss/Z2MUOscpP4cKIF7DZO
	AXeJDfses0PU20oseL+OBcKWl9i85i3zBEaBWUhWzEJSNgtJ2QJG5lWMoqmlyQXFSem5RnrF
	ibnFpXnpesn5uZsYIcH9dQfj0mNWhxgFOBiVeHhPHOcOFWJNLCuuzD3EKMHBrCTCu5GJJ1SI
	NyWxsiq1KD++qDQntfgQIxMHp1QDI3vrPdXHJrJlRmkr34iWFW5usFl1oyXO8I7Uo5javefc
	Fx5pevUy94pM3w4/ZaH0GPWAwKAjnqWO59Zv+nNEdt3UoiUcs0v/Xl50Ynnbeg3l1XV3td78
	VjyycafF3nPtq7Ytzgu46Jygxtxkf3nZxR+2a06Xzl/28o1SxYwrjMt0Xu9x+fLb9IoSS3FG
	oqEWc1FxIgDuxTeDTAIAAA==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/20/2015 02:12 PM, Andrey Ryabinin wrote:
> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
> split this is not so, because 2*TASK_SIZE overflows 32 bits,
> so the actual value of ELF_ET_DYN_BASE is:
> 	(2 * TASK_SIZE / 3) = 0x2a000000

AFAIK on most platforms (e.g. Intel) that's (TASK_SIZE / 3 * 2) so ARM 
is kind of special here.

>
> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
> as it fails to map shadow memory.
> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
> even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
>
> Fix overflow by dividing TASK_SIZE prior to multiplying.
> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
> 	(TASK_SIZE / 3 * 2) = 0x7f555554
>
> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping

Perhaps we should fix other platforms as well?

-Y