From patchwork Fri Jan 15 20:41:05 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 42996 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 5B4F8B7CC2 for ; Sat, 16 Jan 2010 07:41:20 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1NVsyk-0002pM-FZ; Fri, 15 Jan 2010 20:41:10 +0000 Received: from smtp.outflux.net ([198.145.64.163]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1NVsyh-0002pC-QF for kernel-team@lists.ubuntu.com; Fri, 15 Jan 2010 20:41:08 +0000 Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.3/8.14.3/Debian-9ubuntu1) with ESMTP id o0FKf6VF023566 for ; Fri, 15 Jan 2010 12:41:06 -0800 Date: Fri, 15 Jan 2010 12:41:05 -0800 From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH] UBUNTU: SAUCE: x86: brk away from exec rand area Message-ID: <20100115204105.GB5185@outflux.net> MIME-Version: 1.0 Content-Disposition: inline Organization: Ubuntu X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.67 on 10.2.0.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com This is a fix for the NX emulation patch to force the brk area well outside of the exec randomization area to avoid future allocation or brk growth collisions. Normally this isn't a problem, except when the text region has been loaded from a PIE binary and the CS limit can't be put just above bss. Additionally, the nx-emulation patch was still randomizing addresses even when randomize_va_space was disabled, which would cause collisions even faster if someone tried to disable randomization. BugLink: http://bugs.launchpad.net/bugs/452175 Signed-off-by: Kees Cook --- fs/binfmt_elf.c | 10 ++++++++++ mm/mmap.c | 11 ++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index b10acea..73594b9 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -978,6 +978,16 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) #ifdef arch_randomize_brk if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) current->mm->brk = current->mm->start_brk = +# ifdef CONFIG_X86_32 + /* in the case of NX emulation, shove the brk + segment way out of the way of the exec + randomization area, since it can collide with + future allocations if not. */ + ( (current->mm->get_unmapped_exec_area == + arch_get_unmapped_exec_area) && + (current->mm->brk < 0x08000000) + ? (TASK_SIZE/6) : 0) + +# endif arch_randomize_brk(current->mm); #endif diff --git a/mm/mmap.c b/mm/mmap.c index 814b95f..17ed65d 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1516,8 +1516,11 @@ arch_get_unmapped_exec_area(struct file *filp, unsigned long addr0, if (flags & MAP_FIXED) return addr; - if (!addr) - addr = randomize_range(SHLIB_BASE, 0x01000000, len); + if (!addr) { + addr = SHLIB_BASE; + if ((current->flags & PF_RANDOMIZE) && randomize_va_space) + addr = randomize_range(addr, 0x01000000, len); + } if (addr) { addr = PAGE_ALIGN(addr); @@ -1545,7 +1548,9 @@ arch_get_unmapped_exec_area(struct file *filp, unsigned long addr0, * Up until the brk area we randomize addresses * as much as possible: */ - if (addr >= 0x01000000) { + if ((current->flags & PF_RANDOMIZE) && + randomize_va_space && + addr >= 0x01000000) { tmp = randomize_range(0x01000000, PAGE_ALIGN(max(mm->start_brk, (unsigned long)0x08000000)), len);