[x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
This commit is contained in:
parent
e01d7b854c
commit
aac56d9572
|
@ -238,6 +238,7 @@ linux (4.5.1-1) UNRELEASED; urgency=medium
|
|||
- validate e->target_offset early
|
||||
- make sure e->next_offset covers remaining blob size
|
||||
* ipv4: Don't do expensive useless work during inetdev destroy (CVE-2016-3156)
|
||||
* [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* [mipsel/mips/config.loongson-2f] Disable VIDEO_CX23885, VIDEO_IVTV,
|
||||
|
|
80
debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
vendored
Normal file
80
debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
vendored
Normal file
|
@ -0,0 +1,80 @@
|
|||
From: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Date: Thu, 10 Mar 2016 20:51:00 +0100
|
||||
Subject: x86/mm/32: Enable full randomization on i386 and X86_32
|
||||
Origin: https://git.kernel.org/linus/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
|
||||
|
||||
Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
|
||||
the stack and the executable are randomized but not other mmapped files
|
||||
(libraries, vDSO, etc.). This patch enables randomization for the
|
||||
libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
|
||||
|
||||
By default on i386 there are 8 bits for the randomization of the libraries,
|
||||
vDSO and mmaps which only uses 1MB of VA.
|
||||
|
||||
This patch preserves the original randomness, using 1MB of VA out of 3GB or
|
||||
4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
|
||||
|
||||
The first obvious security benefit is that all objects are randomized (not
|
||||
only the stack and the executable) in legacy mode which highly increases
|
||||
the ASLR effectiveness, otherwise the attackers may use these
|
||||
non-randomized areas. But also sensitive setuid/setgid applications are
|
||||
more secure because currently, attackers can disable the randomization of
|
||||
these applications by setting the ulimit stack to "unlimited". This is a
|
||||
very old and widely known trick to disable the ASLR in i386 which has been
|
||||
allowed for too long.
|
||||
|
||||
Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
|
||||
personality flag, but fortunately this doesn't work on setuid/setgid
|
||||
applications because there is security checks which clear Security-relevant
|
||||
flags.
|
||||
|
||||
This patch always randomizes the mmap_legacy_base address, removing the
|
||||
possibility to disable the ASLR by setting the stack to "unlimited".
|
||||
|
||||
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Acked-by: Ismael Ripoll Ripoll <iripoll@upv.es>
|
||||
Acked-by: Kees Cook <keescook@chromium.org>
|
||||
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: akpm@linux-foundation.org
|
||||
Cc: kees Cook <keescook@chromium.org>
|
||||
Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/mm/mmap.c | 14 +-------------
|
||||
1 file changed, 1 insertion(+), 13 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
|
||||
index 96bd1e2bffaf..389939f74dd5 100644
|
||||
--- a/arch/x86/mm/mmap.c
|
||||
+++ b/arch/x86/mm/mmap.c
|
||||
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
|
||||
- * does, but not when emulating X86_32
|
||||
- */
|
||||
-static unsigned long mmap_legacy_base(unsigned long rnd)
|
||||
-{
|
||||
- if (mmap_is_ia32())
|
||||
- return TASK_UNMAPPED_BASE;
|
||||
- else
|
||||
- return TASK_UNMAPPED_BASE + rnd;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
* This function, called very early during the creation of a new
|
||||
* process VM image, sets up which VM layout function to use:
|
||||
*/
|
||||
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
|
||||
if (current->flags & PF_RANDOMIZE)
|
||||
random_factor = arch_mmap_rnd();
|
||||
|
||||
- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
|
||||
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
|
||||
|
||||
if (mmap_is_legacy()) {
|
||||
mm->mmap_base = mm->mmap_legacy_base;
|
|
@ -141,3 +141,4 @@ bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
|
|||
bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
|
||||
bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch
|
||||
bugfix/all/ipv4-don-t-do-expensive-useless-work-during-inetdev-.patch
|
||||
bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
|
||||
|
|
Loading…
Reference in New Issue