From patchwork Thu Sep  7 13:51:38 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 811044
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3xp21f3MrMz9t2M;
	Thu,  7 Sep 2017 23:51:50 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1dpxDe-0003so-DQ; Thu, 07 Sep 2017 13:51:46 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1dpxDc-0003sX-2C
	for kernel-team@lists.ubuntu.com; Thu, 07 Sep 2017 13:51:44 +0000
Received: from mail-wm0-f72.google.com ([74.125.82.72])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1dpxDb-000660-RK
	for kernel-team@lists.ubuntu.com; Thu, 07 Sep 2017 13:51:43 +0000
Received: by mail-wm0-f72.google.com with SMTP id l19so1560941wmi.1
	for <kernel-team@lists.ubuntu.com>;
	Thu, 07 Sep 2017 06:51:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=ToVixC1vogDphSu/yL6NMv9zdqWsZfB+AjCzSJum3L8=;
	b=MEKVQ9/iGIAsW6jGz2s1fIjyH3f0oW8BPyCpOdsWQQcNKvNNsco94QwO3CERMOEtJl
	WJDfVg5CVOUe2MXio7hJtL3z3Jkk4aSwIaOSWRGjFzgAiSn7oSzxobb4k+h80LHr7b5P
	jGOrNX8o9mlyzYWsUKsRfko1WOk6RAK8bnVB303qVCnxLR0cA3LfAifWL+hbxPblUk1h
	IjiHdTmgsOZgmvI5nHYi7aGr3rxs0IysgpVYcH1Vunsthk9028/Ipf6iZcGgKjdKGbCq
	kcqhWa9/lxdBWYkJYBx6lrqV+T+ZVgpP+V39QvWCwYBnWg2ULIZNy5/98UyQvsckccrU
	UQ5Q==
X-Gm-Message-State: AHPjjUjMfv/BqMPDXvAWkGvJ1wJphIOQXztYN/zTQp24ivhslb2pPHOB
	2k0yiEiGhI55biAmQml7fZH0O5+zmYgJJUFm8rYHQhSQHEvG1vEXlFn04OR7PY7d0Ax67OCgV6z
	2KWvSj2B7g+WmE5qXfKa/Na3hB2LvGym2
X-Received: by 10.80.206.68 with SMTP id k4mr2614543edj.48.1504792303234;
	Thu, 07 Sep 2017 06:51:43 -0700 (PDT)
X-Google-Smtp-Source: 
 ADKCNb5X5khUte9G3ln9LcB9XmpHdimyhU3yk/2zhWGgCp5/ce4zK3GVBH/UZUN9CsQq/H+Ka0bCCg==
X-Received: by 10.80.206.68 with SMTP id k4mr2614535edj.48.1504792303015;
	Thu, 07 Sep 2017 06:51:43 -0700 (PDT)
Received: from localhost (ip5f5bd015.dynamic.kabel-deutschland.de.
	[95.91.208.21]) by smtp.gmail.com with ESMTPSA id
	e56sm3075852edb.7.2017.09.07.06.51.41
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 07 Sep 2017 06:51:42 -0700 (PDT)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Xenial SRU][PATCH 1/1] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE
	base changes
Date: Thu,  7 Sep 2017 15:51:38 +0200
Message-Id: <20170907135138.2199-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20170907135138.2199-1-kleber.souza@canonical.com>
References: <20170907135138.2199-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Kees Cook <keescook@chromium.org>

BugLink: http://bugs.launchpad.net/bugs/1715636

Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000
broke AddressSanitizer.  This is a partial revert of:

  eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
  02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")

The AddressSanitizer tool has hard-coded expectations about where
executable mappings are loaded.

The motivation for changing the PIE base in the above commits was to
avoid the Stack-Clash CVEs that allowed executable mappings to get too
close to heap and stack.  This was mainly a problem on 32-bit, but the
64-bit bases were moved too, in an effort to proactively protect those
systems (proofs of concept do exist that show 64-bit collisions, but
other recent changes to fix stack accounting and setuid behaviors will
minimize the impact).

The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC
base), so only the 64-bit PIE base needs to be reverted to let x86 and
arm64 ASan binaries run again.  Future changes to the 64-bit PIE base on
these architectures can be made optional once a more dynamic method for
dealing with AddressSanitizer is found.  (e.g.  always loading PIE into
the mmap region for marked binaries.)

Link: http://lkml.kernel.org/r/20170807201542.GA21271@beast
Fixes: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
Fixes: 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Kostya Serebryany <kcc@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit c715b72c1ba406f133217b509044c38d8e714a37)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/arm64/include/asm/elf.h | 4 ++--
 arch/x86/include/asm/elf.h   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index 9e11dbe1cec3..329c127e13dc 100644
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -121,10 +121,10 @@ typedef struct user_fpsimd_state elf_fpregset_t;
 
 /*
  * This is the base location for PIE (ET_DYN with INTERP) loads. On
- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * 64-bit, this is above 4GB to leave the entire 32-bit address
  * space open for things that want to use the area for 32-bit pointers.
  */
-#define ELF_ET_DYN_BASE		0x100000000UL
+#define ELF_ET_DYN_BASE		(2 * TASK_SIZE_64 / 3)
 
 /*
  * When the program starts, a1 contains a pointer to a function to be
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 07cf288b692e..bcd3d6199464 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -247,11 +247,11 @@ extern int force_personality32;
 
 /*
  * This is the base location for PIE (ET_DYN with INTERP) loads. On
- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * 64-bit, this is above 4GB to leave the entire 32-bit address
  * space open for things that want to use the area for 32-bit pointers.
  */
 #define ELF_ET_DYN_BASE		(mmap_is_ia32() ? 0x000400000UL : \
-						  0x100000000UL)
+						  (TASK_SIZE / 3 * 2))
 
 /* This yields a mask that user programs can use to figure out what
    instruction set this CPU supports.  This could be done in user space,