proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2025-12-24 20:18:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f99cb7af40
mirror_ubuntu-kernels/arch/x86
History
Kees Cook eab09532d4 binfmt_elf: use ELF_ET_DYN_BASE only for PIE 
The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries.  (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.)

With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
ELF_ET_DYN_BASE continued to be used since the kernel was only looking
at ET_DYN.  However, since ELF_ET_DYN_BASE is traditionally set at the
top 1/3rd of the TASK_SIZE, a substantial portion of the address space
is unused.

For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
loaded above the mmap region.  This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
pathological stack regions.

Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
region in all cases, and will now additionally avoid programs falling
back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
if it would have collided with the stack, now it will fail to load
instead of falling back to the mmap region).

To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by
the loader.  Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
which means architectures can now safely lower their values without risk
of loaders colliding with their subsequently loaded programs.

For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.

Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.

Fixes: d1fd836dcf ("mm: split ET_DYN ASLR from mmap ASLR")
Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-10 16:32:36 -07:00
..
boot Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 14:45:09 -07:00
configs Merge branch 'x86-boot-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 20:51:12 -07:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-07-05 12:22:23 -07:00
entry Merge branch 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm 2017-07-08 12:17:25 -07:00
events Merge branch 'smp-hotplug-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-03 18:08:06 -07:00
hyperv char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
ia32 sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task_stack.h> 2017-03-02 08:42:36 +01:00
include binfmt_elf: use ELF_ET_DYN_BASE only for PIE 2017-07-10 16:32:36 -07:00
kernel Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-07-09 11:21:31 -07:00
kvm PPC: 2017-07-06 18:38:31 -07:00
lguest Merge branch 'x86-boot-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 20:51:12 -07:00
lib libnvdimm for 4.13 2017-07-07 09:44:06 -07:00
math-emu x86/ldt: Rename ldt_struct::size to ::nr_entries 2017-06-08 09:28:21 +02:00
mm x86/kasan: don't allocate extra shadow memory 2017-07-10 16:32:33 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
oprofile
pci pci-v4.13-changes 2017-07-08 15:51:57 -07:00
platform x86/platform/uv/BAU: Minor cleanup, make some local functions static 2017-07-04 15:52:37 +02:00
power x86/boot/e820: Introduce the bootloader provided e820_table_firmware[] table 2017-07-05 10:09:02 +02:00
purgatory kasan: do not sanitize kexec purgatory 2017-03-31 17:13:30 -07:00
ras x86/mce: Merge mce_amd_inj into mce-inject 2017-06-14 07:32:07 +02:00
realmode x86/boot/64: Rename init_level4_pgt and early_level4_pgt 2017-06-13 08:56:55 +02:00
tools x86/tools: Fix gcc-7 warning in relocs.c 2016-12-19 11:50:24 +01:00
um x86/um: thin archives build fix 2017-06-30 09:03:05 +09:00
video
xen This is the first pull request for the new dma-mapping subsystem 2017-07-06 19:20:54 -07:00
.gitignore
Kbuild Drivers: hv vmbus: Move Hypercall page setup out of common code 2017-01-19 11:42:07 +01:00
Kconfig powerpc updates for 4.13 2017-07-07 13:55:45 -07:00
Kconfig.cpu
Kconfig.debug usb/early: Add driver for xhci debug capability 2017-03-21 12:30:05 +01:00
Makefile Kbuild updates for v4.13 2017-07-07 14:09:24 -07:00
Makefile_32.cpu kbuild: remove cc-option-align 2017-06-25 12:43:00 +09:00
Makefile.um