Hello!
On 08.08.2019 9:17, Alexandre Ghiti wrote:
This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for randomization.
This fixes the problem uncovered and not fixed for arm here:
https://lkml.kernel.org/r/20170622200033.25714-1-riel@xxxxxxxxxx
Signed-off-by: Alexandre Ghiti <alex@xxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
Acked-by: Paul Burton <paul.burton@xxxxxxxx>
Reviewed-by: Luis Chamberlain <mcgrof@xxxxxxxxxx>
---
 arch/mips/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
index d79f2b432318..f5c778113384 100644
--- a/arch/mips/mm/mmap.c
+++ b/arch/mips/mm/mmap.c
@@ -21,8 +21,9 @@ unsigned long shm_align_mask = PAGE_SIZE - 1;ÂÂÂ /* Sane caches */
 EXPORT_SYMBOL(shm_align_mask);
  /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAPÂÂÂÂÂÂÂ (128*1024*1024UL)
+#define MAX_GAPÂÂÂÂÂÂÂ ((TASK_SIZE)/6*5)
ÂÂ Could add spaces around *, while touching this anyway? And parens
around TASK_SIZE shouldn't be needed...
+#define STACK_RND_MASKÂÂÂ (0x7ff >> (PAGE_SHIFT - 12))
  static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -38,6 +39,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
ÂÂÂÂÂ unsigned long gap = rlim_stack->rlim_cur;
+ÂÂÂ unsigned long pad = stack_guard_gap;
+
+ÂÂÂ /* Account for stack randomization if necessary */
+ÂÂÂ if (current->flags & PF_RANDOMIZE)
+ÂÂÂÂÂÂÂ pad += (STACK_RND_MASK << PAGE_SHIFT);
ÂÂ Parens not needed here.
+
+ÂÂÂ /* Values close to RLIM_INFINITY can overflow. */
+ÂÂÂ if (gap + pad > gap)
+ÂÂÂÂÂÂÂ gap += pad;
 Â if (gap < MIN_GAP)
ÂÂÂÂÂÂÂÂÂ gap = MIN_GAP;
_______________________________________________
linux-riscv mailing list
linux-riscv@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/linux-riscv