* [PATCH 1/3] x86/mmap: properly account for stack randomization in mmap_base
2017-06-22 20:00 [PATCH 0/3] properly account for stack randomization and guard gap riel
@ 2017-06-22 20:00 ` riel
2017-06-22 20:00 ` [PATCH 2/3] arm64/mmap: " riel
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: riel @ 2017-06-22 20:00 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, mingo, will.deacon, danielmicay, benh, hughd
From: Rik van Riel <riel@redhat.com>
When RLIMIT_STACK is, for example, 256MB, the current code results in
a gap between the top of the task and mmap_base of 256MB, failing to
take into account the amount by which the stack address was randomized.
In other words, the stack gets less than RLIMIT_STACK space.
Ensure that the gap between the stack and mmap_base always takes stack
randomization and the stack guard gap into account.
>From Daniel Micay's linux-hardened tree.
Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Rik van Riel <riel@redhat.com>
---
arch/x86/mm/mmap.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 19ad095b41df..7c35dd73dbd4 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -95,13 +95,18 @@ unsigned long arch_mmap_rnd(void)
static unsigned long mmap_base(unsigned long rnd, unsigned long task_size)
{
unsigned long gap = rlimit(RLIMIT_STACK);
+ unsigned long pad = stack_maxrandom_size(task_size) + stack_guard_gap;
unsigned long gap_min, gap_max;
+ /* Values close to RLIM_INFINITY can overflow. */
+ if (gap + pad > gap)
+ gap += pad;
+
/*
* Top of mmap area (just below the process stack).
* Leave an at least ~128 MB hole with possible stack randomization.
*/
- gap_min = SIZE_128M + stack_maxrandom_size(task_size);
+ gap_min = SIZE_128M;
gap_max = (task_size / 6) * 5;
if (gap < gap_min)
--
2.9.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] arm64/mmap: properly account for stack randomization in mmap_base
2017-06-22 20:00 [PATCH 0/3] properly account for stack randomization and guard gap riel
2017-06-22 20:00 ` [PATCH 1/3] x86/mmap: properly account for stack randomization in mmap_base riel
@ 2017-06-22 20:00 ` riel
2017-06-22 20:00 ` [PATCH 3/3] powerpc,mmap: " riel
2017-06-23 8:35 ` [PATCH 0/3] properly account for stack randomization and guard gap Ingo Molnar
3 siblings, 0 replies; 6+ messages in thread
From: riel @ 2017-06-22 20:00 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, mingo, will.deacon, danielmicay, benh, hughd
From: Rik van Riel <riel@redhat.com>
When RLIMIT_STACK is, for example, 256MB, the current code results in
a gap between the top of the task and mmap_base of 256MB, failing to
take into account the amount by which the stack address was randomized.
In other words, the stack gets less than RLIMIT_STACK space.
Ensure that the gap between the stack and mmap_base always takes stack
randomization and the stack guard gap into account.
>From Daniel Micay's linux-hardened tree.
Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Rik van Riel <riel@redhat.com>
---
arch/arm64/mm/mmap.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c
index 7b0d55756eb1..a0cb6b8ccde7 100644
--- a/arch/arm64/mm/mmap.c
+++ b/arch/arm64/mm/mmap.c
@@ -34,7 +34,7 @@
* Leave enough space between the mmap area and the stack to honour ulimit in
* the face of randomisation.
*/
-#define MIN_GAP (SZ_128M + ((STACK_RND_MASK << PAGE_SHIFT) + 1))
+#define MIN_GAP (SZ_128M)
#define MAX_GAP (STACK_TOP/6*5)
static int mmap_is_legacy(void)
@@ -64,6 +64,11 @@ unsigned long arch_mmap_rnd(void)
static unsigned long mmap_base(unsigned long rnd)
{
unsigned long gap = rlimit(RLIMIT_STACK);
+ unsigned long pad = (STACK_RND_MASK << PAGE_SHIFT) + stack_guard_gap;
+
+ /* Values close to RLIM_INFINITY can overflow. */
+ if (gap + pad > gap)
+ gap += pad;
if (gap < MIN_GAP)
gap = MIN_GAP;
--
2.9.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] powerpc,mmap: properly account for stack randomization in mmap_base
2017-06-22 20:00 [PATCH 0/3] properly account for stack randomization and guard gap riel
2017-06-22 20:00 ` [PATCH 1/3] x86/mmap: properly account for stack randomization in mmap_base riel
2017-06-22 20:00 ` [PATCH 2/3] arm64/mmap: " riel
@ 2017-06-22 20:00 ` riel
2017-06-23 8:35 ` [PATCH 0/3] properly account for stack randomization and guard gap Ingo Molnar
3 siblings, 0 replies; 6+ messages in thread
From: riel @ 2017-06-22 20:00 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, mingo, will.deacon, danielmicay, benh, hughd
From: Rik van Riel <riel@redhat.com>
When RLIMIT_STACK is, for example, 256MB, the current code results in
a gap between the top of the task and mmap_base of 256MB, failing to
take into account the amount by which the stack address was randomized.
In other words, the stack gets less than RLIMIT_STACK space.
Ensure that the gap between the stack and mmap_base always takes stack
randomization and the stack guard gap into account.
Inspired by Daniel Micay's linux-hardened tree.
Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Rik van Riel <riel@redhat.com>
---
arch/powerpc/mm/mmap.c | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
index 0ee6be4f1ba4..5d78b193fec4 100644
--- a/arch/powerpc/mm/mmap.c
+++ b/arch/powerpc/mm/mmap.c
@@ -34,16 +34,9 @@
/*
* Top of mmap area (just below the process stack).
*
- * Leave at least a ~128 MB hole on 32bit applications.
- *
- * On 64bit applications we randomise the stack by 1GB so we need to
- * space our mmap start address by a further 1GB, otherwise there is a
- * chance the mmap area will end up closer to the stack than our ulimit
- * requires.
+ * Leave at least a ~128 MB hole.
*/
-#define MIN_GAP32 (128*1024*1024)
-#define MIN_GAP64 ((128 + 1024)*1024*1024UL)
-#define MIN_GAP ((is_32bit_task()) ? MIN_GAP32 : MIN_GAP64)
+#define MIN_GAP (128*1024*1024)
#define MAX_GAP (TASK_SIZE/6*5)
static inline int mmap_is_legacy(void)
@@ -71,9 +64,26 @@ unsigned long arch_mmap_rnd(void)
return rnd << PAGE_SHIFT;
}
+static inline unsigned long stack_maxrandom_size(void)
+{
+ if (!(current->flags & PF_RANDOMIZE))
+ return 0;
+
+ /* 8MB for 32bit, 1GB for 64bit */
+ if (is_32bit_task())
+ return (1<<23);
+ else
+ return (1<<30);
+}
+
static inline unsigned long mmap_base(unsigned long rnd)
{
unsigned long gap = rlimit(RLIMIT_STACK);
+ unsigned long pad = stack_maxrandom_size() + stack_guard_gap;
+
+ /* Values close to RLIM_INFINITY can overflow. */
+ if (gap + pad > gap)
+ gap += pad;
if (gap < MIN_GAP)
gap = MIN_GAP;
--
2.9.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/3] properly account for stack randomization and guard gap
2017-06-22 20:00 [PATCH 0/3] properly account for stack randomization and guard gap riel
` (2 preceding siblings ...)
2017-06-22 20:00 ` [PATCH 3/3] powerpc,mmap: " riel
@ 2017-06-23 8:35 ` Ingo Molnar
2017-06-23 15:13 ` Rik van Riel
3 siblings, 1 reply; 6+ messages in thread
From: Ingo Molnar @ 2017-06-23 8:35 UTC (permalink / raw)
To: riel
Cc: linux-kernel, akpm, will.deacon, danielmicay, benh, hughd,
Linus Torvalds, Michal Hocko, Dave Jones, Oleg Nesterov
* riel@redhat.com <riel@redhat.com> wrote:
> When RLIMIT_STACK is larger than the minimum gap enforced by
> mmap_base(), it is possible for the kernel to place the mmap
> area where the stack wants to grow, resulting in the stack
> not being able to use the space that should have been allocated
> to it through RLIMIT_STACK.
>
> This series ensures that x86, ARM64, and PPC have at least
> RLIMIT_STACK + stack randomization + the stack guard gap
> space available for the stack.
>
> s390 seems to be ok. I have not checked other architectures.
x86 patch LGTM:
Acked-by: Ingo Molnar <mingo@kernel.org>
... but I suspect this wants to go via -mm or Linus directly?
Thanks,
Ingo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 0/3] properly account for stack randomization and guard gap
2017-06-23 8:35 ` [PATCH 0/3] properly account for stack randomization and guard gap Ingo Molnar
@ 2017-06-23 15:13 ` Rik van Riel
0 siblings, 0 replies; 6+ messages in thread
From: Rik van Riel @ 2017-06-23 15:13 UTC (permalink / raw)
To: Ingo Molnar
Cc: linux-kernel, akpm, will.deacon, danielmicay, benh, hughd,
Linus Torvalds, Michal Hocko, Dave Jones, Oleg Nesterov
On Fri, 2017-06-23 at 10:35 +0200, Ingo Molnar wrote:
> * riel@redhat.com <riel@redhat.com> wrote:
>
> > When RLIMIT_STACK is larger than the minimum gap enforced by
> > mmap_base(), it is possible for the kernel to place the mmap
> > area where the stack wants to grow, resulting in the stack
> > not being able to use the space that should have been allocated
> > to it through RLIMIT_STACK.
> >
> > This series ensures that x86, ARM64, and PPC have at least
> > RLIMIT_STACK + stack randomization + the stack guard gap
> > space available for the stack.
> >
> > s390 seems to be ok. I have not checked other architectures.
>
> x86 patch LGTM:
>
> Acked-by: Ingo Molnar <mingo@kernel.org>
>
> ... but I suspect this wants to go via -mm or Linus directly?
I believe Andrew picked it up yesterday.
^ permalink raw reply [flat|nested] 6+ messages in thread