From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753306AbbCZPTU (ORCPT ); Thu, 26 Mar 2015 11:19:20 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:44253 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751774AbbCZPTQ (ORCPT ); Thu, 26 Mar 2015 11:19:16 -0400 X-AuditID: cbfec7f4-b7f126d000001e9a-94-551422c8d9b2 Message-id: <5514236D.50808@samsung.com> Date: Thu, 26 Mar 2015 18:19:09 +0300 From: Andrey Ryabinin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-version: 1.0 To: Russell King - ARM Linux Cc: Kees Cook , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Maria Guseva , Yury Gribov , stable@vger.kernel.org Subject: Re: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE References: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com> <20150326150558.GK8656@n2100.arm.linux.org.uk> In-reply-to: <20150326150558.GK8656@n2100.arm.linux.org.uk> Content-type: text/plain; charset=windows-1252 Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJLMWRmVeSWpSXmKPExsVy+t/xa7onlERCDbavVbM4051rsenxNVaL y7vmsFncvsxrseDOdyaLBRsfMVoc+ryYyYHdo6W5h81jdsNFFo/NS+o9+rasYvT4vEkugDWK yyYlNSezLLVI3y6BK2PhpDNMBa+5Kz4fe8jcwHibs4uRk0NCwETi973vLBC2mMSFe+vZuhi5 OIQEljJKfLizkgnCaWaSWL5nIzNIFa+AhsTyjvmMIDaLgKrE9fmbwWw2AT2Jf7O2A3VzcIgK REjcvswJUS4o8WPyPbAFIgKmEtcePWMGmckscI5R4tOOD+wgCWEBR4lZe7vA5gsJlEv8vXqS FcTmFLCWeDlpCSvITGag+fcvaoGEmQXkJTavecs8gVFgFpIVsxCqZiGpWsDIvIpRNLU0uaA4 KT3XUK84Mbe4NC9dLzk/dxMjJLi/7GBcfMzqEKMAB6MSD6/BQeFQIdbEsuLK3EOMEhzMSiK8 LyREQoV4UxIrq1KL8uOLSnNSiw8xMnFwSjUwqrO+3b4qzD/r+EWzF5lv+c4VHPtxJHL//J1+ PSEPJ/yKdOJ4uVL33u7VK7e+Kbkz50vXC++aSVW8F8OlNTRd4w+w8ictSH/WWi3mY/m/8OG8 tqfrcm33Si09dnfb8r8ewtGvjyRnnfs5oZ//7IGPO7h/fIoOX/HjnmTDgs6Fxgf0LjPfWbg5 aKUSS3FGoqEWc1FxIgAbmYdLTAIAAA== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/26/2015 06:05 PM, Russell King - ARM Linux wrote: > On Fri, Mar 20, 2015 at 02:12:52PM +0300, Andrey Ryabinin wrote: >> Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel >> split this is not so, because 2*TASK_SIZE overflows 32 bits, >> so the actual value of ELF_ET_DYN_BASE is: >> (2 * TASK_SIZE / 3) = 0x2a000000 >> >> When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address. >> On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000] >> for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled >> as it fails to map shadow memory. >> Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries >> has a high chance of loading somewhere in between [0x2a000000 - 0x40000000] >> even if ASLR enabled. This makes ASan with PIE absolutely incompatible. >> >> Fix overflow by dividing TASK_SIZE prior to multiplying. >> After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y): >> (TASK_SIZE / 3 * 2) = 0x7f555554 >> >> [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping >> >> Signed-off-by: Andrey Ryabinin >> Reported-by: Maria Guseva >> Cc: stable@vger.kernel.org > > Who's handling this patch? I'm guessing it should be me, so if it could > find its way into my patch system for when I next apply a bunch of patches, > that'd be good. > It's already there. Patch number - 8320/1.