| Message ID | 20170602152010.2064-4-riel@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, Jun 2, 2017 at 8:20 AM, <riel@redhat.com> wrote: > From: Rik van Riel <riel@redhat.com> > > When RLIMIT_STACK is, for example, 256MB, the current code results in > a gap between the top of the task and mmap_base of 256MB, failing to > take into account the amount by which the stack address was randomized. > In other words, the stack gets less than RLIMIT_STACK space. Is this entirely accurate? The top of the task would be task_size, but this code is using task_size / 6 * 5 as the bottom of stack / top of mmap gap_max. Is there a reason for this? > > Ensure that the gap between the stack and mmap_base always takes stack > randomization into account. > > From Daniel Micay's linux-hardened tree. > > Reported-by: Florian Weimer <fweimer@redhat.com> > Signed-off-by: Daniel Micay <danielmicay@gmail.com> > Signed-off-by: Rik van Riel <riel@redhat.com> > --- > arch/x86/mm/mmap.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c > index 19ad095b41df..8c7ba1adb27b 100644 > --- a/arch/x86/mm/mmap.c > +++ b/arch/x86/mm/mmap.c > @@ -95,13 +95,18 @@ unsigned long arch_mmap_rnd(void) > static unsigned long mmap_base(unsigned long rnd, unsigned long task_size) > { > unsigned long gap = rlimit(RLIMIT_STACK); > + unsigned long pad = stack_maxrandom_size(task_size); > unsigned long gap_min, gap_max; > > + /* Values close to RLIM_INFINITY can overflow. */ > + if (gap + pad > gap) > + gap += pad; > + > /* > * Top of mmap area (just below the process stack). > * Leave an at least ~128 MB hole with possible stack randomization. > */ > - gap_min = SIZE_128M + stack_maxrandom_size(task_size); > + gap_min = SIZE_128M; > gap_max = (task_size / 6) * 5; > > if (gap < gap_min) -Kees
On Fri, 2017-06-02 at 21:46 -0700, Kees Cook wrote: > On Fri, Jun 2, 2017 at 8:20 AM, <riel@redhat.com> wrote: > > From: Rik van Riel <riel@redhat.com> > > > > When RLIMIT_STACK is, for example, 256MB, the current code results > > in > > a gap between the top of the task and mmap_base of 256MB, failing to > > take into account the amount by which the stack address was > > randomized. > > In other words, the stack gets less than RLIMIT_STACK space. > > Is this entirely accurate? The top of the task would be task_size, but > this code is using task_size / 6 * 5 as the bottom of stack / top of > mmap gap_max. Is there a reason for this? MIN_GAP / MAX_GAP are only the boundaries that this gap is clamped to. If it's not smaller than MIN_GAP, MIN_GAP isn't used. If it's not larger than MAX_GAP, MAX_GAP isn't used. The stack randomization is currently only taken into account for MIN_GAP. This only fixes that bug by always taking it into account. It's not a subjective design change. The MAX_GAP value is 5/6 of the address space which is overly large but that's a separate bug.
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c index 19ad095b41df..8c7ba1adb27b 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c @@ -95,13 +95,18 @@ unsigned long arch_mmap_rnd(void) static unsigned long mmap_base(unsigned long rnd, unsigned long task_size) { unsigned long gap = rlimit(RLIMIT_STACK); + unsigned long pad = stack_maxrandom_size(task_size); unsigned long gap_min, gap_max; + /* Values close to RLIM_INFINITY can overflow. */ + if (gap + pad > gap) + gap += pad; + /* * Top of mmap area (just below the process stack). * Leave an at least ~128 MB hole with possible stack randomization. */ - gap_min = SIZE_128M + stack_maxrandom_size(task_size); + gap_min = SIZE_128M; gap_max = (task_size / 6) * 5; if (gap < gap_min)