OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/fs
History
Hector Marco-Gisbert 14a3e0c960 x86, mm/ASLR: Fix stack randomization on 64-bit systems 
commit 4e7c22d447 upstream.

The issue is that the stack for processes is not properly randomized on
64 bit architectures due to an integer overflow.

The affected function is randomize_stack_top() in file
"fs/binfmt_elf.c":

  static unsigned long randomize_stack_top(unsigned long stack_top)
  {
           unsigned int random_variable = 0;

           if ((current->flags & PF_RANDOMIZE) &&
                   !(current->personality & ADDR_NO_RANDOMIZE)) {
                   random_variable = get_random_int() & STACK_RND_MASK;
                   random_variable <<= PAGE_SHIFT;
           }
           return PAGE_ALIGN(stack_top) + random_variable;
           return PAGE_ALIGN(stack_top) - random_variable;
  }

Note that, it declares the "random_variable" variable as "unsigned int".
Since the result of the shifting operation between STACK_RND_MASK (which
is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):

	  random_variable <<= PAGE_SHIFT;

then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold
the (22+12) result.

These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to
2^30 (One fourth of expected entropy).

This patch restores back the entropy by correcting the types involved
in the operations in the functions randomize_stack_top() and
stack_maxrandom_size().

The successful fix can be tested with:

  $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
  7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
  7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
  7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
  7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
  ...

Once corrected, the leading bytes should be between 7ffc and 7fff,
rather than always being 7fff.

Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: CVE-2015-1593
Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2015-03-06 14:43:32 -08:00
..
9p Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-01-28 08:38:04 -08:00
adfs adfs: delayed freeing of sbi 2013-10-24 23:43:27 -04:00
affs fs/affs/super.c: bugfix / double free 2014-06-07 10:28:16 -07:00
afs afs: proc cells and rootcell are writeable 2014-02-01 10:59:39 -08:00
autofs4 autofs: fix lockref lookup 2014-06-07 10:28:20 -07:00
befs befs: iget_locked() doesn't return an ERR_PTR 2014-01-25 03:14:38 -05:00
bfs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
btrfs btrfs: fix leak of path in btrfs_find_item 2015-03-06 14:43:32 -08:00
cachefiles Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
ceph ceph: fix null pointer dereference in discard_cap_releases() 2015-01-16 06:59:33 -08:00
cifs Complete oplock break jobs before closing file handle 2015-02-11 14:54:47 +08:00
coda coda_revalidate_inode(): switch to passing inode... 2013-11-09 00:16:21 -05:00
configfs configfs: fix race between dentry put and lookup 2013-11-21 16:42:27 -08:00
cramfs mm: remove read_cache_page_async() 2014-11-21 09:23:06 -08:00
debugfs debugfs: Fix corrupted loop in debugfs_remove_recursive 2014-09-05 16:34:15 -07:00
devpts devpts: plug the memory leak in kill_sb 2013-11-13 12:09:36 +09:00
dlm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
ecryptfs eCryptfs: Remove buggy and unnecessary write in file name decode routine 2015-01-08 10:00:51 -08:00
efivarfs consolidate simple ->d_delete() instances 2013-11-15 22:04:17 -05:00
efs efs: get rid of ->put_super() 2014-01-25 03:13:02 -05:00
exofs exofs: Print less in r4w 2014-01-23 18:54:14 +02:00
exportfs exportfs: fix quadratic behavior in filehandle lookup 2013-11-09 00:16:38 -05:00
ext2 ext2/3/4: use generic posix ACL infrastructure 2014-01-25 23:58:19 -05:00
ext3 ext3: Don't check quota format when there are no quota files 2014-11-14 09:00:09 -08:00
ext4 ext4: prevent bugon on race between write/fcntl 2015-02-11 14:54:48 +08:00
f2fs mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
fat fat: rcu-delay unloading nls and freeing sbi 2013-10-24 23:43:28 -04:00
freevxfs
fscache FS-Cache: Handle removal of unadded object to the fscache_object_list rb tree 2014-02-17 13:47:35 -08:00
fuse mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
gfs2 mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
hfs fs/hfs/btree.h: remove duplicate defines 2013-11-13 12:09:32 +09:00
hfsplus hfsplus: add HFSX subfolder count support 2014-03-10 17:26:21 -07:00
hostfs um: hostfs: make functions static 2014-01-26 11:51:09 +01:00
hpfs hpfs: optimize quad buffer loading 2014-02-02 16:24:07 -08:00
hppfs clean up scary strncpy(dst, src, strlen(src)) uses 2013-07-03 16:07:41 -07:00
hugetlbfs hugetlb: ensure hugepage access is denied if hugepages are not supported 2014-10-09 12:21:27 -07:00
isofs isofs: Fix unchecked printing of ER records 2015-01-08 10:00:49 -08:00
jbd jbd: Revise KERN_EMERG error messages 2013-12-04 12:27:46 +01:00
jbd2 jbd2: free bh when descriptor block checksum fails 2014-11-14 08:59:57 -08:00
jffs2 jffs2: fix handling of corrupted summary length 2015-03-06 14:43:32 -08:00
jfs jfs: set i_ctime when setting ACL 2014-02-13 15:56:05 -06:00
kernfs kernfs: add back missing error check in kernfs_fop_mmap() 2014-06-07 10:28:08 -07:00
lockd LOCKD: Fix a race when initialising nlmsvc_timeout 2015-01-27 08:18:58 -08:00
logfs Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block 2014-01-30 11:19:05 -08:00
minix fs/minix: Drop dependency on H8300 2013-09-16 18:20:25 -07:00
ncpfs ncpfs: return proper error from NCP_IOC_SETROOT ioctl 2015-01-08 10:00:50 -08:00
nfs NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args 2015-03-06 14:43:29 -08:00
nfs_common
nfsd nfsd4: fix xdr4 inclusion of escaped char 2015-01-16 06:59:33 -08:00
nilfs2 nilfs2: fix deadlock of segment constructor over I_SYNC flag 2015-02-11 14:54:47 +08:00
nls nls: have register_nls() set ->owner 2014-01-25 03:14:05 -05:00
notify fsnotify: next_i is freed during fsnotify_unmount_inodes. 2015-01-27 08:18:59 -08:00
ntfs mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
ocfs2 ocfs2: fix the wrong directory passed to ocfs2_lookup_ino_from_name() when link file 2015-01-16 06:59:29 -08:00
omfs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
openpromfs
proc genirq: Prevent proc race against freeing of irq descriptors 2015-01-27 08:18:55 -08:00
pstore pstore: Fix NULL pointer fault if get NULL prz in ramoops_get_next_prz 2015-02-05 22:35:52 -08:00
qnx4 qnx4: clean qnx4_fill_super() up 2014-01-25 03:13:03 -05:00
qnx6
quota quota: Properly return errors from dquot_writeback_dquots() 2014-11-14 09:00:09 -08:00
ramfs fs/ramfs: move ramfs_aops to inode.c 2014-01-23 16:36:58 -08:00
reiserfs reiserfs: call truncate_setsize under tailpack mutex 2014-07-06 18:57:29 -07:00
romfs romfs: fix returm err while getting inode in fill_super 2014-01-23 16:37:04 -08:00
squashfs Squashfs: fix failure to unlock pages on decompress error 2013-11-24 01:02:50 +00:00
sysfs sysfs: make sure read buffer is zeroed 2014-06-07 10:28:24 -07:00
sysv sysv: Add forgotten superblock lock init for v7 fs 2013-09-29 22:02:02 -04:00
ubifs UBIFS: fix free log space calculation 2014-11-14 08:59:46 -08:00
udf udf: Verify symlink size before loading it 2015-01-08 10:00:50 -08:00
ufs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
xfs xfs: Fix quota type in quota structures when reusing quota file 2015-03-06 14:43:31 -08:00
Kconfig fs: remove generic_acl 2014-01-26 08:26:40 -05:00
Kconfig.binfmt
Makefile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-01-28 08:38:04 -08:00
aio.c aio: fix uncorrent dirty pages accouting when truncating AIO ring buffer 2014-12-06 15:55:37 -08:00
anon_inodes.c vfs: Allocate anon_inode_inode in anon_inode_init() 2014-03-27 09:52:54 -07:00
attr.c fs,userns: Change inode_capable to capable_wrt_inode_uidgid 2014-06-16 13:40:32 -07:00
bad_inode.c
binfmt_aout.c dump_skip(): dump_seek() replacement taking coredump_params 2013-11-09 00:16:26 -05:00
binfmt_elf.c x86, mm/ASLR: Fix stack randomization on 64-bit systems 2015-03-06 14:43:32 -08:00
binfmt_elf_fdpic.c elf{,_fdpic} coredump: get rid of pointless if (siginfo->si_signo) 2013-11-09 00:16:30 -05:00
binfmt_em86.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c bio-integrity: Drop bio_integrity_verify BUG_ON in post bip->bip_iter world 2014-02-21 15:56:36 -08:00
bio.c block: Fix cloning of discard/write same bios 2014-02-11 08:40:45 -07:00
block_dev.c a trivial writeback fix 2013-09-13 23:06:40 -04:00
buffer.c mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
char_dev.c Merge branch 'for-3.13/core' of git://git.kernel.dk/linux-block 2013-11-14 12:08:14 +09:00
compat.c
compat_binfmt_elf.c
compat_ioctl.c fs/compat_ioctl.c: fix an underflow issue (harmless) 2014-01-21 16:19:42 -08:00
coredump.c coredump: fix the setting of PF_DUMPCORE 2014-07-31 12:52:56 -07:00
dcache.c missing data dependency barrier in prepend_name() 2014-11-14 08:59:48 -08:00
dcookies.c fs/compat: fix lookup_dcookie() parameter handling 2014-01-29 16:22:40 -08:00
direct-io.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
drop_caches.c shrinker: add node awareness 2013-09-10 18:56:31 -04:00
eventfd.c eventfd_ctx_fdget(): use fdget() instead of fget() 2014-01-25 03:13:04 -05:00
eventpoll.c eventpoll: fix uninitialized variable in epoll_ctl 2014-10-05 14:52:20 -07:00
exec.c mm: per-thread vma caching 2014-10-09 12:21:29 -07:00
fcntl.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
fhandle.c
file.c vfs: Don't let __fdget_pos() get FMODE_PATH files 2014-03-23 00:03:12 -04:00
file_table.c don't bother with {get,put}_write_access() on non-regular files 2014-05-31 13:20:29 -07:00
filesystems.c
fs-writeback.c writeback: fix a subtle race condition in I_DIRTY clearing 2015-01-16 06:59:32 -08:00
fs_struct.c seqcount: Add lockdep functionality to seqcount/seqlock structures 2013-11-06 12:40:26 +01:00
inode.c fs,userns: Change inode_capable to capable_wrt_inode_uidgid 2014-06-16 13:40:32 -07:00
internal.h get rid of s_files and files_lock 2013-11-09 00:16:20 -05:00
ioctl.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
ioprio.c block: Fix computation of merged request priority 2014-11-21 09:23:03 -08:00
libfs.c consolidate simple ->d_delete() instances 2013-11-15 22:04:17 -05:00
locks.c locks: eliminate BUG() call when there's an unexpected lock on file close 2014-12-06 15:55:39 -08:00
mbcache.c fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
mount.h switch mnt_hash to hlist 2014-03-30 19:18:51 -04:00
mpage.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
namei.c fs: allow open(dir, O_TMPFILE|..., 0) with mode 0 2014-11-14 08:59:46 -08:00
namespace.c umount: Disallow unprivileged mount force 2015-01-08 10:00:49 -08:00
no-block.c
open.c don't bother with {get,put}_write_access() on non-regular files 2014-05-31 13:20:29 -07:00
pipe.c fs/pipe.c: skip file_update_time on frozen fs 2014-01-23 16:37:00 -08:00
pnode.c get rid of propagate_umount() mistakenly treating slaves as busy. 2014-09-17 09:19:22 -07:00
pnode.h smarter propagate_mnt() 2014-05-06 07:59:36 -07:00
posix_acl.c posix_acl: handle NULL ACL in posix_acl_equiv_mode 2014-06-07 10:28:16 -07:00
proc_namespace.c fs/proc_namespace.c: simplify testing nsp and nsp->mnt_ns 2014-01-23 16:37:02 -08:00
read_write.c vfs: atomic f_pos access in llseek() 2014-03-23 00:03:12 -04:00
readdir.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
select.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
seq_file.c seq_file: always clear m->count when we free m->buf 2013-11-18 19:07:53 -08:00
signalfd.c
splice.c fuse: fix pipe_buf_operations 2014-01-22 19:36:57 +01:00
stack.c
stat.c vfs: split out vfs_getattr_nosec 2013-11-09 00:16:31 -05:00
statfs.c vfs: allow O_PATH file descriptors for fstatfs() 2013-10-12 13:12:31 -07:00
super.c fs/superblock: avoid locking counting inodes and dentries before reclaiming them 2014-11-21 09:23:07 -08:00
sync.c Revert "writeback: do not sync data dirtied after sync start" 2014-02-22 02:02:28 +01:00
timerfd.c
utimes.c locks: break delegations on any attribute modification 2013-11-09 00:16:44 -05:00
xattr.c