From: Anton Blanchard <anton@samba.org>
To: linuxppc-dev@ozlabs.org
Subject: [patch 08/10] powerpc: Ensure random space between stack and mmaps
Date: Sun, 22 Feb 2009 22:50:05 +1100 [thread overview]
Message-ID: <20090222115332.669493518@samba.org> (raw)
In-Reply-To: 20090222114957.213647384@samba.org
get_random_int() returns the same value within a 1 jiffy interval. This means
that the mmap and stack regions will almost always end up the same distance
apart, making a relative offset based attack possible.
To fix this, shift the randomness we use for the mmap region by 1 bit.
Signed-off-by: Anton Blanchard <anton@samba.org>
---
Index: linux-2.6/arch/powerpc/mm/mmap.c
===================================================================
--- linux-2.6.orig/arch/powerpc/mm/mmap.c 2009-02-22 11:58:54.000000000 +1100
+++ linux-2.6/arch/powerpc/mm/mmap.c 2009-02-22 12:05:01.000000000 +1100
@@ -46,6 +46,14 @@
return sysctl_legacy_va_layout;
}
+/*
+ * Since get_random_int() returns the same value within a 1 jiffy window,
+ * we will almost always get the same randomisation for the stack and mmap
+ * region. This will mean the relative distance between stack and mmap will
+ * be the same.
+ *
+ * To avoid this we can shift the randomness by 1 bit.
+ */
static unsigned long mmap_rnd(void)
{
unsigned long rnd = 0;
@@ -53,11 +61,11 @@
if (current->flags & PF_RANDOMIZE) {
/* 8MB for 32bit, 1GB for 64bit */
if (is_32bit_task())
- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
+ rnd = (long)(get_random_int() % (1<<(22-PAGE_SHIFT)));
else
- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
+ rnd = (long)(get_random_int() % (1<<(29-PAGE_SHIFT)));
}
- return rnd << PAGE_SHIFT;
+ return (rnd << PAGE_SHIFT) * 2;
}
static inline unsigned long mmap_base(void)
--
next prev parent reply other threads:[~2009-02-22 11:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-22 11:49 [patch 00/10] PowerPC address space randomisation Anton Blanchard
2009-02-22 11:49 ` [patch 01/10] powerpc: Move is_32bit_task Anton Blanchard
2009-02-22 11:49 ` [patch 02/10] powerpc: Use new layout for 64bit binaries Anton Blanchard
2009-02-22 11:50 ` [patch 03/10] powerpc: Rearrange mmap.c Anton Blanchard
2009-02-22 11:50 ` [patch 04/10] powerpc: Randomise mmap start address Anton Blanchard
2009-02-22 11:50 ` [patch 05/10] powerpc: More stack randomisation for 64bit binaries Anton Blanchard
2009-02-22 11:50 ` [patch 06/10] powerpc: Randomise lower bits of stack address Anton Blanchard
2009-02-22 11:50 ` [patch 07/10] powerpc: Randomise the brk region Anton Blanchard
2009-02-22 11:50 ` Anton Blanchard [this message]
2009-02-22 11:50 ` [patch 09/10] powerpc: Increase stack gap on 64bit binaries Anton Blanchard
2009-02-22 11:50 ` [patch 10/10] powerpc: Randomise PIEs Anton Blanchard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090222115332.669493518@samba.org \
--to=anton@samba.org \
--cc=linuxppc-dev@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).