From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752135AbbBRJQi (ORCPT ); Wed, 18 Feb 2015 04:16:38 -0500 Received: from mail.skyhub.de ([78.46.96.112]:36840 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750772AbbBRJQe (ORCPT ); Wed, 18 Feb 2015 04:16:34 -0500 Date: Wed, 18 Feb 2015 10:15:43 +0100 From: Borislav Petkov To: Kees Cook Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Alexander Viro , Ismael Ripoll , Hector Marco-Gisbert , Jan-Simon =?utf-8?Q?M=C3=B6ller?= , linux-fsdevel@vger.kernel.org Subject: Re: [PATCH] ASLR: fix stack randomization on 64-bit systems Message-ID: <20150218091543.GF3211@pd.tnic> References: <20150214173350.GA18393@www.outflux.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20150214173350.GA18393@www.outflux.net> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Feb 14, 2015 at 09:33:50AM -0800, Kees Cook wrote: > From: Hector Marco-Gisbert > > The issue is that the stack for processes is not properly randomized on 64 bit > architectures due to an integer overflow. > > The affected function is randomize_stack_top() in file "fs/binfmt_elf.c": > > static unsigned long randomize_stack_top(unsigned long stack_top) > { > unsigned int random_variable = 0; > > if ((current->flags & PF_RANDOMIZE) && > !(current->personality & ADDR_NO_RANDOMIZE)) { > random_variable = get_random_int() & STACK_RND_MASK; > random_variable <<= PAGE_SHIFT; > } > return PAGE_ALIGN(stack_top) + random_variable; > return PAGE_ALIGN(stack_top) - random_variable; > } > > Note that, it declares the "random_variable" variable as "unsigned int". Since > the result of the shifting operation between STACK_RND_MASK (which is > 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64): > > random_variable <<= PAGE_SHIFT; > > then the two leftmost bits are dropped when storing the result in the > "random_variable". This variable shall be at least 34 bits long to hold the > (22+12) result. > > These two dropped bits have an impact on the entropy of process stack. > Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One > fourth of expected entropy). > > This patch restores back the entropy by correcting the types involved in the > operations in the functions randomize_stack_top() and stack_maxrandom_size(). > > The successful fix can be tested with: > $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done > 7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack] > 7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack] > 7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack] > 7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack] > ... > > Once corrected, the leading bytes should be between 7ffc and 7fff, rather > than always being 7fff. > > CVE-2015-1593 > > Signed-off-by: Hector Marco-Gisbert > Signed-off-by: Ismael Ripoll > [kees: rebase, fix 80 char, clean up commit message, add test example, cve] > Signed-off-by: Kees Cook > Cc: stable@vger.kernel.org Ok, I'm picking this up. Do scream if someone else wants to do that, otherwise it is going to tip next week, after the merge window is over. Thanks. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply. --