From 0134b5c8b96ecebce9e97a24dd6cec33cb087dd6 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 12 Aug 2017 23:03:10 +0100
Subject: [PATCH] [amd64,arm64] mm: Revert x86_64 and arm64 ELF_ET_DYN_BASE
 base (Closes: #869090)

---
 debian/changelog                              |  2 +
 ...86_64-and-arm64-elf_et_dyn_base-base.patch | 71 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 74 insertions(+)
 create mode 100644 debian/patches/bugfix/all/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base.patch

diff --git a/debian/changelog b/debian/changelog
index 597f2c6f4..73832c5eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -43,6 +43,8 @@ linux (4.12.6-1) UNRELEASED; urgency=medium
   * bfq: Enable auto-loading when built as a module
   * netfilter: Enable NFT_FIB_IPV4, NFT_FIB_IPV6, NFT_FIB_INET as modules
     (Closes: #868803)
+  * [amd64,arm64] mm: Revert x86_64 and arm64 ELF_ET_DYN_BASE base
+    (Closes: #869090)
 
   [ Salvatore Bonaccorso ]
   * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
diff --git a/debian/patches/bugfix/all/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base.patch b/debian/patches/bugfix/all/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base.patch
new file mode 100644
index 000000000..a345e219e
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base.patch
@@ -0,0 +1,71 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 07 Aug 2017 20:15:42 +0000
+Subject: mm: Revert x86_64 and arm64 ELF_ET_DYN_BASE base
+Origin: https://marc.info/?l=linux-arm-kernel&m=150213698426008&w=2
+Bug-Debian: https://bugs.debian.org/869090
+
+Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000
+broke AddressSanitizer. This is a partial revert of:
+
+  commit eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
+  commit 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")
+
+The AddressSanitizer tool has hard-coded expectations about where
+executable mappings are loaded. The motivation for changing the PIE
+base in the above commits was to avoid the Stack-Clash CVEs that
+allowed executable mappings to get too close to heap and stack. This
+was mainly a problem on 32-bit, but the 64-bit bases were moved too,
+in an effort to proactively protect those systems (proofs of concept
+do exist that show 64-bit collisions, but other recent changes to fix
+stack accounting and setuid behaviors will minimize the impact).
+
+The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC
+base), so only the 64-bit PIE base needs to be reverted to let x86 and
+arm64 ASan binaries run again. Future changes to the 64-bit PIE base on
+these architectures can be made optional once a more dynamic method for
+dealing with AddressSanitizer is found. (e.g. always loading PIE into
+the mmap region for marked binaries.)
+
+Reported-by: Kostya Serebryany <kcc@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+---
+ arch/arm64/include/asm/elf.h | 4 ++--
+ arch/x86/include/asm/elf.h   | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
+index acae781f7359..3288c2b36731 100644
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -114,10 +114,10 @@
+ 
+ /*
+  * This is the base location for PIE (ET_DYN with INTERP) loads. On
+- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * 64-bit, this is above 4GB to leave the entire 32-bit address
+  * space open for things that want to use the area for 32-bit pointers.
+  */
+-#define ELF_ET_DYN_BASE		0x100000000UL
++#define ELF_ET_DYN_BASE		(2 * TASK_SIZE_64 / 3)
+ 
+ #ifndef __ASSEMBLY__
+ 
+diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
+index 1c18d83d3f09..9aeb91935ce0 100644
+--- a/arch/x86/include/asm/elf.h
++++ b/arch/x86/include/asm/elf.h
+@@ -247,11 +247,11 @@ extern int force_personality32;
+ 
+ /*
+  * This is the base location for PIE (ET_DYN with INTERP) loads. On
+- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * 64-bit, this is above 4GB to leave the entire 32-bit address
+  * space open for things that want to use the area for 32-bit pointers.
+  */
+ #define ELF_ET_DYN_BASE		(mmap_is_ia32() ? 0x000400000UL : \
+-						  0x100000000UL)
++						  (TASK_SIZE / 3 * 2))
+ 
+ /* This yields a mask that user programs can use to figure out what
+    instruction set this CPU supports.  This could be done in user space,
diff --git a/debian/patches/series b/debian/patches/series
index 8b9ad8b8d..ed0a66bda 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -62,6 +62,7 @@ bugfix/x86/platform-x86-ideapad-laptop-add-several-models-to-no.patch
 bugfix/mips/mips-octeon-fix-broken-edac-driver.patch
 debian/revert-gpu-host1x-add-iommu-support.patch
 bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
+bugfix/all/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base.patch
 
 # Arch features
 features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch