From patchwork Tue Mar 12 17:32:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ali Saidi X-Patchwork-Id: 10849613 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9BF796C2 for ; Tue, 12 Mar 2019 17:33:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 81A4429735 for ; Tue, 12 Mar 2019 17:33:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 753B229740; Tue, 12 Mar 2019 17:33:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.4 required=2.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 238F029735 for ; Tue, 12 Mar 2019 17:33:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=ItxKQoqvzPbJ8+0BkS6pm4Ea9jwmC+pfPO1fL0sQV2A=; b=QC2bxhxt5F7ZLb nAHm3J38dcpNoGOhMPAqmHRFjwTWu7Sg709opTloM1AQH8fo2E3N06lq7MnHgZVjFQVkw8cjIW1kt oiM6P9QEAeaJtoblzhybU/Ohn4l0fV73znwGA+iO6nwoxpJBLpkm4/oApPVchLJmmhjNVju92TCHv 8Tup81gt/ZCKpx/NpS6oCqB/opdbCUzCx2U42zuL32QlPAPTAXhmNCd+pGS/3x4eiRSaJb+b96S4y 5K8aZQ1y+vIX/PoryhtONo8vS3V3EdExHgmMNKeGZubdR1MAiGbN7XFiXhbQ0Y64P2Ao2G5aWhApt CRBGjrcWLxROM9eSrJEg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1h3lH5-0002C4-92; Tue, 12 Mar 2019 17:33:11 +0000 Received: from smtp-fw-6001.amazon.com ([52.95.48.154]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h3lGz-00022E-2v for linux-arm-kernel@lists.infradead.org; Tue, 12 Mar 2019 17:33:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1552411984; x=1583947984; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=zr1zhmwYLJhlOljFXMtFIz+O6pxf9ekI5Xz6wB4Amg8=; b=mTxGpL0tOGFqwAMD9FPK4QQrChwPiwWJC3GeIjyKaHdlln6effAg7Gdn Xi/dlvlKRdUGJRDp2iX805hvwbtytC7TjHc1024n+/yU3JW9wCxhJhYZM e0y2MK2Gp/c/9IZuYCwTl53L/mokKsCa4R0bA+79kM8IVUXuhW+9Qu2kJ U=; X-IronPort-AV: E=Sophos;i="5.58,471,1544486400"; d="scan'208";a="385048082" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-579b7f5b.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 12 Mar 2019 17:32:59 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-2c-579b7f5b.us-west-2.amazon.com (8.14.7/8.14.7) with ESMTP id x2CHWsWR015915 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 12 Mar 2019 17:32:57 GMT Received: from EX13D08UEE004.ant.amazon.com (10.43.62.182) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 12 Mar 2019 17:32:57 +0000 Received: from EX13MTAUEE001.ant.amazon.com (10.43.62.200) by EX13D08UEE004.ant.amazon.com (10.43.62.182) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 12 Mar 2019 17:32:57 +0000 Received: from dev-dsk-alisaidi-i31e-4ac69482.us-east-1.amazon.com (10.200.136.151) by mail-relay.amazon.com (10.43.62.226) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Tue, 12 Mar 2019 17:32:57 +0000 Received: by dev-dsk-alisaidi-i31e-4ac69482.us-east-1.amazon.com (Postfix, from userid 5131138) id 0E05B47D39; Tue, 12 Mar 2019 17:32:57 +0000 (UTC) From: Ali Saidi To: , , Subject: [PATCH 0/2] handle worst-case heap randomization in mmap_base Date: Tue, 12 Mar 2019 17:32:46 +0000 Message-ID: <20190312173248.13490-1-alisaidi@amazon.com> X-Mailer: git-send-email 2.15.3.AMZN MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190312_103305_503334_6FBD1613 X-CRM114-Status: GOOD ( 10.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Peter Zijlstra , Catalin Marinas , Dave Hansen , Will Deacon , Ingo Molnar , Borislav Petkov , David Woodhouse , Andy Lutomirski , "H. Peter Anvin" , Andrew Morton , Thomas Gleixner , Ali Saidi , Anthony Liguori Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Increase mmap_base by the worst-case brk randomization so that the stack and heap remain apart. In Linux 4.13 a change was committed that special cased the kernel ELF loader when the loader is invoked directly (eab09532d400; binfmt_elf: use ELF_ET_DYN_BASE only for PIE). Generally, the loader isn’t invoked directly and this issue is limited to cases where it is, (e.g to set a non-inheritable LD_LIBRARY_PATH, testing new versions of the loader). In those rare cases, the loader doesn't take into account the amount of brk randomization that will be applied by arch_randomize_brk(). This can lead to the stack and heap being arbitrarily close to each other. Ali Saidi (2): arm64/mmap: handle worst-case heap randomization in mmap_base x86/mmap: handle worst-case heap randomization in mmap_base arch/arm64/mm/mmap.c | 8 ++++++++ arch/x86/mm/mmap.c | 4 ++++ 2 files changed, 12 insertions(+)