From patchwork Fri Mar 20 11:12:52 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Ryabinin X-Patchwork-Id: 6055661 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id EE9AEBF90F for ; Fri, 20 Mar 2015 11:16:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 1C567204D1 for ; Fri, 20 Mar 2015 11:16:20 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2EF4120444 for ; Fri, 20 Mar 2015 11:16:19 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1YYury-000116-RY; Fri, 20 Mar 2015 11:13:38 +0000 Received: from mailout2.w1.samsung.com ([210.118.77.12]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1YYurv-0000qY-Te for linux-arm-kernel@lists.infradead.org; Fri, 20 Mar 2015 11:13:37 +0000 Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by mailout2.w1.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0NLI00ENFCOIQ460@mailout2.w1.samsung.com> for linux-arm-kernel@lists.infradead.org; Fri, 20 Mar 2015 11:17:06 +0000 (GMT) X-AuditID: cbfec7f4-b7f126d000001e9a-59-550c001b77f5 Received: from eusync4.samsung.com ( [203.254.199.214]) by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id 9C.AD.07834.B100C055; Fri, 20 Mar 2015 11:10:19 +0000 (GMT) Received: from localhost.localdomain ([106.109.129.143]) by eusync4.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPA id <0NLI003JQCHQJW00@eusync4.samsung.com>; Fri, 20 Mar 2015 11:13:06 +0000 (GMT) From: Andrey Ryabinin To: Russell King Subject: [PATCH] arm: fix integer overflow in ELF_ET_DYN_BASE Date: Fri, 20 Mar 2015 14:12:52 +0300 Message-id: <1426849972-19606-1-git-send-email-a.ryabinin@samsung.com> X-Mailer: git-send-email 2.3.3 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNJMWRmVeSWpSXmKPExsVy+t/xa7rSDDyhBu8+cFps+/WIzeJMd67F psfXWC0u75rDZnH7Mq/FgjvfmSwWbHzEaHHo82ImBw6PluYeNo/ZDRdZPDYvqffo27KK0ePz JrkA1igum5TUnMyy1CJ9uwSujOcblzEXHOOrOHBkJ0sD43/uLkYODgkBE4kF5zK6GDmBTDGJ C/fWs4HYQgJLGSU+TtOCsPuYJA7MNASx2QT0JP7N2g5WIyKgKXFq8UXmLkYuDmaBX4wSE+58 YAOZKSxgKzFnpyxIDYuAqsTWpWfZQcK8Am4SnavqILbKSSx8Lz6BkXsBI8MqRtHU0uSC4qT0 XEO94sTc4tK8dL3k/NxNjJAA+bKDcfExq0OMAhyMSjy8P3dzhwqxJpYVV+YeYpTgYFYS4ZX6 AxTiTUmsrEotyo8vKs1JLT7EyMTBKdXAGLv56eN7R9JnR/84tvfJ389N3cn+32/NUq36wXDf 7bREoHO8465XcXsdL0b9Sb7DMVU66F7bZV3thjcxE5Yk6cpcWTnz32s97cyYmZI/pr2cp9Vr /76p6XX5WS23rDthQseYhdZYRcyd99YqrTzFSHsB43kRs6Onxesamk6LefSWLNNKUEs2UmIp zkg01GIuKk4EADeVfkLuAQAA X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20150320_041336_119737_355A0ACB X-CRM114-Status: UNSURE ( 8.38 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -5.0 (-----) Cc: Kees Cook , Andrey Ryabinin , Yury Gribov , stable@vger.kernel.org, linux-kernel@vger.kernel.org, Maria Guseva , linux-arm-kernel@lists.infradead.org X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel split this is not so, because 2*TASK_SIZE overflows 32 bits, so the actual value of ELF_ET_DYN_BASE is: (2 * TASK_SIZE / 3) = 0x2a000000 When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address. On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000] for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled as it fails to map shadow memory. Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries has a high chance of loading somewhere in between [0x2a000000 - 0x40000000] even if ASLR enabled. This makes ASan with PIE absolutely incompatible. Fix overflow by dividing TASK_SIZE prior to multiplying. After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y): (TASK_SIZE / 3 * 2) = 0x7f555554 [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping Signed-off-by: Andrey Ryabinin Reported-by: Maria Guseva Cc: stable@vger.kernel.org Acked-by: Kees Cook --- arch/arm/include/asm/elf.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h index c1ff8ab..1984a92 100644 --- a/arch/arm/include/asm/elf.h +++ b/arch/arm/include/asm/elf.h @@ -115,7 +115,7 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); the loader. We need to make sure that it is out of the way of the program that it will "exec", and that there is sufficient room for the brk. */ -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) /* When the program starts, a1 contains a pointer to a function to be registered with atexit, as per the SVR4 ABI. A value of 0 means we