aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKees Cook2017-08-18 17:16:31 -0500
committerGreg Kroah-Hartman2017-08-24 19:02:35 -0500
commit240628085effc47e86f51fc3fb37bc0e628f9a85 (patch)
tree6e99a6fe1ac16c8aadb31ad1e1cea38bfea1dff2
parentcc971fa12bd2dff6c0432c860d784c6cdaf5a04b (diff)
downloadkernel-omap-240628085effc47e86f51fc3fb37bc0e628f9a85.tar.gz
kernel-omap-240628085effc47e86f51fc3fb37bc0e628f9a85.tar.xz
kernel-omap-240628085effc47e86f51fc3fb37bc0e628f9a85.zip
mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
commit c715b72c1ba406f133217b509044c38d8e714a37 upstream. Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000 broke AddressSanitizer. This is a partial revert of: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") The AddressSanitizer tool has hard-coded expectations about where executable mappings are loaded. The motivation for changing the PIE base in the above commits was to avoid the Stack-Clash CVEs that allowed executable mappings to get too close to heap and stack. This was mainly a problem on 32-bit, but the 64-bit bases were moved too, in an effort to proactively protect those systems (proofs of concept do exist that show 64-bit collisions, but other recent changes to fix stack accounting and setuid behaviors will minimize the impact). The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC base), so only the 64-bit PIE base needs to be reverted to let x86 and arm64 ASan binaries run again. Future changes to the 64-bit PIE base on these architectures can be made optional once a more dynamic method for dealing with AddressSanitizer is found. (e.g. always loading PIE into the mmap region for marked binaries.) Link: http://lkml.kernel.org/r/20170807201542.GA21271@beast Fixes: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") Fixes: 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Kostya Serebryany <kcc@google.com> Acked-by: Will Deacon <will.deacon@arm.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--arch/arm64/include/asm/elf.h4
-rw-r--r--arch/x86/include/asm/elf.h4
2 files changed, 4 insertions, 4 deletions
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index 9e11dbe1cec3..329c127e13dc 100644
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -121,10 +121,10 @@ typedef struct user_fpsimd_state elf_fpregset_t;
121 121
122/* 122/*
123 * This is the base location for PIE (ET_DYN with INTERP) loads. On 123 * This is the base location for PIE (ET_DYN with INTERP) loads. On
124 * 64-bit, this is raised to 4GB to leave the entire 32-bit address 124 * 64-bit, this is above 4GB to leave the entire 32-bit address
125 * space open for things that want to use the area for 32-bit pointers. 125 * space open for things that want to use the area for 32-bit pointers.
126 */ 126 */
127#define ELF_ET_DYN_BASE 0x100000000UL 127#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
128 128
129/* 129/*
130 * When the program starts, a1 contains a pointer to a function to be 130 * When the program starts, a1 contains a pointer to a function to be
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 07cf288b692e..bcd3d6199464 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -247,11 +247,11 @@ extern int force_personality32;
247 247
248/* 248/*
249 * This is the base location for PIE (ET_DYN with INTERP) loads. On 249 * This is the base location for PIE (ET_DYN with INTERP) loads. On
250 * 64-bit, this is raised to 4GB to leave the entire 32-bit address 250 * 64-bit, this is above 4GB to leave the entire 32-bit address
251 * space open for things that want to use the area for 32-bit pointers. 251 * space open for things that want to use the area for 32-bit pointers.
252 */ 252 */
253#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ 253#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
254 0x100000000UL) 254 (TASK_SIZE / 3 * 2))
255 255
256/* This yields a mask that user programs can use to figure out what 256/* This yields a mask that user programs can use to figure out what
257 instruction set this CPU supports. This could be done in user space, 257 instruction set this CPU supports. This could be done in user space,