From patchwork Mon Aug 7 20:15:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9886107 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4B70F603B4 for ; Mon, 7 Aug 2017 20:17:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3BE0528692 for ; Mon, 7 Aug 2017 20:17:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2D659286EE; Mon, 7 Aug 2017 20:17:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AD7A428692 for ; Mon, 7 Aug 2017 20:17:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:To:From :Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=KCmhhAVk8yq13+zyBBd8iOld3crEmD5RcYYVIx1IMtk=; b=MN5jvenzcNbWYA DxHUSAEHiSjexnRhHn2cagbLz9qwx/0tIW77SQ++T4aoVSC83aYJsNrB5xkTje8eYxxLIpb07Ng7A apjCZUaGgSAiVfSBwUddp7tIl7m78tPtSZ/OR4LTtAzteUa04XE2oCAtUgeUUo2Mc2cM1E6QGlNjH pjYZ8hlMDLR7PJsv1zQGavgcc8Kx6RKtJWMWNmMYL8zI7QA+QsNE3iMA79WN6mWSS06bWWrTazAkA WAHIqxpa2n2greL0KA16a6QV6owtowXhQrgZs5LVfz+4H9S/LO0ulQPHekHS8R6K0pJzdIi+0Bh93 gFSOtKNJQhJ3d3bDtE3g==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1deoRe-0005BW-HN; Mon, 07 Aug 2017 20:16:10 +0000 Received: from mail-pg0-x234.google.com ([2607:f8b0:400e:c05::234]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1deoRa-00059T-Uh for linux-arm-kernel@lists.infradead.org; Mon, 07 Aug 2017 20:16:08 +0000 Received: by mail-pg0-x234.google.com with SMTP id u5so5788439pgn.0 for ; Mon, 07 Aug 2017 13:15:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=kvQMB9P4ryhG4125K+cUYhghuMk9tlGLyVdch/wXgxI=; b=OT50ZfxP7NHglC+rEa6JJiflG9FQBIMaVx8Fr133fHzC/7IpBHnbL0xIsRCL2137dL 6oNdT88NmvNTmpf1Q8EC/B2+tu7lnfN/BEqEBrmVWIHFkrGMRRyaqtgik0a0Ny0Pfszh 2maqwKLaWOwb7XtK2Et60hN4hATFxSR0Kr1Bk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=kvQMB9P4ryhG4125K+cUYhghuMk9tlGLyVdch/wXgxI=; b=HKBG0GURdFIkFNYgjDaQQP4IYpz/yYXvwWUk84mVTtx7P8HtfsKjTaaMNloOM/dZGA NZ1NDM7MVxIeOwN6Pvv411o2y95x05XVbH9doCOjBy6R/LrkgtoZq9KsYr+WAkozaGlO 94whz/G4Mf0Va430RcAiAns4nLhR19l5qWh6WzEhPKXT3JLfBKCu7n/mzp19abyesmkF 3A8iyAhNTuc4Ow0xcHuz81X0hIE86o48i+X1XaCQnOw6vWdr6IYs4Gl0cHYxwy1pfST4 +wUuYOX9AGuRVdDUbk5cdaR+KjMWtyUfmIDjWR4bShoaFY1oRFyLyb44N9H+xqs7WGBu SniA== X-Gm-Message-State: AHYfb5jA6z610WrrV9i4ZN+5301NLa2Fnwtw1nO8f9Jq7PJtu178Mf3V Kf9ZHrB4V/5PLqdz X-Received: by 10.101.89.3 with SMTP id f3mr1621790pgu.177.1502136945005; Mon, 07 Aug 2017 13:15:45 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id y70sm1635755pfg.93.2017.08.07.13.15.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Aug 2017 13:15:43 -0700 (PDT) Date: Mon, 7 Aug 2017 13:15:42 -0700 From: Kees Cook To: Andrew Morton Subject: [PATCH] mm: Revert x86_64 and arm64 ELF_ET_DYN_BASE base Message-ID: <20170807201542.GA21271@beast> MIME-Version: 1.0 Content-Disposition: inline X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170807_131607_019733_BC193F4F X-CRM114-Status: GOOD ( 16.59 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pratyush Anand , Rik van Riel , Dong Bo , Grzegorz Andrejczuk , Catalin Marinas , Reid Kleckner , x86@kernel.org, Will Deacon , linux-kernel@vger.kernel.org, Dmitry Safonov , Kostya Serebryany , Daniel Micay , Ingo Molnar , Evgeniy Stepanov , "H. Peter Anvin" , Thomas Gleixner , Andy Lutomirski , Peter Collingbourne , Dmitry Vyukov , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000 broke AddressSanitizer. This is a partial revert of: commit eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") commit 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") The AddressSanitizer tool has hard-coded expectations about where executable mappings are loaded. The motivation for changing the PIE base in the above commits was to avoid the Stack-Clash CVEs that allowed executable mappings to get too close to heap and stack. This was mainly a problem on 32-bit, but the 64-bit bases were moved too, in an effort to proactively protect those systems (proofs of concept do exist that show 64-bit collisions, but other recent changes to fix stack accounting and setuid behaviors will minimize the impact). The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC base), so only the 64-bit PIE base needs to be reverted to let x86 and arm64 ASan binaries run again. Future changes to the 64-bit PIE base on these architectures can be made optional once a more dynamic method for dealing with AddressSanitizer is found. (e.g. always loading PIE into the mmap region for marked binaries.) Reported-by: Kostya Serebryany Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Acked-by: Will Deacon --- arch/arm64/include/asm/elf.h | 4 ++-- arch/x86/include/asm/elf.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index acae781f7359..3288c2b36731 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -114,10 +114,10 @@ /* * This is the base location for PIE (ET_DYN with INTERP) loads. On - * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * 64-bit, this is above 4GB to leave the entire 32-bit address * space open for things that want to use the area for 32-bit pointers. */ -#define ELF_ET_DYN_BASE 0x100000000UL +#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) #ifndef __ASSEMBLY__ diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 1c18d83d3f09..9aeb91935ce0 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -247,11 +247,11 @@ extern int force_personality32; /* * This is the base location for PIE (ET_DYN with INTERP) loads. On - * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * 64-bit, this is above 4GB to leave the entire 32-bit address * space open for things that want to use the area for 32-bit pointers. */ #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ - 0x100000000UL) + (TASK_SIZE / 3 * 2)) /* This yields a mask that user programs can use to figure out what instruction set this CPU supports. This could be done in user space,