From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751865AbbCTLnA (ORCPT <rfc822;w@1wt.eu>);
	Fri, 20 Mar 2015 07:43:00 -0400
Received: from mailout3.w1.samsung.com ([210.118.77.13]:8842 "EHLO
	mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751613AbbCTLmq (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 20 Mar 2015 07:42:46 -0400
X-AuditID: cbfec7f4-b7f126d000001e9a-83-550c070c712c
Message-id: <550C07AE.8030708@samsung.com>
Date: Fri, 20 Mar 2015 14:42:38 +0300
From: Andrey Ryabinin <a.ryabinin@samsung.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
 Thunderbird/31.5.0
MIME-version: 1.0
To: Yury Gribov <y.gribov@samsung.com>
Cc: Russell King <linux@arm.linux.org.uk>, Kees Cook <keescook@chromium.org>,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        Maria Guseva <m.guseva@samsung.com>, stable@vger.kernel.org
Subject: Re: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE
References: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com>
 <550C0503.3000207@samsung.com>
In-reply-to: <550C0503.3000207@samsung.com>
Content-type: text/plain; charset=windows-1252
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJLMWRmVeSWpSXmKPExsVy+t/xq7o87DyhBq3dqhZnunMtNj2+xmpx
	edccNovbl3ktFtz5zmSxYOMjRotDnxczObB7tDT3sHnMbrjI4rF5Sb1H35ZVjB6fN8kFsEZx
	2aSk5mSWpRbp2yVwZcy5vpixYBN3Re+h10wNjPM5uxg5OSQETCSmrF3KCmGLSVy4t56ti5GL
	Q0hgKaNE08yHUE4zk8Ty4+/BqngFtCT2nr4HZrMIqEpsnr+CHcRmE9CT+DdrO1ADB4eoQITE
	7cucEOWCEj8m32MBsUUE1CQen29iAZnJLHCRUaLv3kGwXmEBR4lZe7uYQWwhgXSJzs1HwOZz
	CmhLzLvbwwoykxlo/v2LWiBhZgF5ic1r3jJPYBSYhWTFLISqWUiqFjAyr2IUTS1NLihOSs81
	1CtOzC0uzUvXS87P3cQICe4vOxgXH7M6xCjAwajEw/tzN3eoEGtiWXFl7iFGCQ5mJRHejUw8
	oUK8KYmVValF+fFFpTmpxYcYmTg4pRoYayc5Lt/vZdr773nSraJoD+EVAc96T3ysN2sx4fX9
	+Got94xbrNuT/D5VOzyJDfqg6b4wR2LtSpmsh9r9sukGPw/+ZVOI1xGM0lWt2h8dJC9hV/q/
	7q+qxK3HzmcmNPbNy3AL41196PnjTScCK58/zJ+xYu8j5w2NOw7qvQ2VYT7dcD7J+Ky4Ektx
	RqKhFnNRcSIAfYH0X0wCAAA=
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/20/2015 02:31 PM, Yury Gribov wrote:
> On 03/20/2015 02:12 PM, Andrey Ryabinin wrote:
>> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
>> split this is not so, because 2*TASK_SIZE overflows 32 bits,
>> so the actual value of ELF_ET_DYN_BASE is:
>>     (2 * TASK_SIZE / 3) = 0x2a000000
> 
> AFAIK on most platforms (e.g. Intel) that's (TASK_SIZE / 3 * 2) so ARM is kind of special here.
> 
>>
>> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
>> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
>> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
>> as it fails to map shadow memory.
>> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
>> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
>> even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
>>
>> Fix overflow by dividing TASK_SIZE prior to multiplying.
>> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
>>     (TASK_SIZE / 3 * 2) = 0x7f555554
>>
>> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
> 
> Perhaps we should fix other platforms as well?
> 

Seems only avr32 and cris platforms have the same problem.
All other 32bit platforms where ELF_ET_DYB_BASE = (2 * TASK_SIZE / 3) have TASK_SIZE < 2G, so there is no overflow.