The patch titled Subject: mm: split ET_DYN ASLR from mmap ASLR has been added to the -mm tree. Its filename is mm-split-et_dyn-aslr-from-mmap-aslr.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-split-et_dyn-aslr-from-mmap-aslr.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-split-et_dyn-aslr-from-mmap-aslr.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Kees Cook <keescook@xxxxxxxxxxxx> Subject: mm: split ET_DYN ASLR from mmap ASLR This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips, powerpc, and x86. The problem is that if there is a leak of ASLR from the executable (ET_DYN), it means a leak of shared library offset as well (mmap), and vice versa. Further details and a PoC of this attack is available here: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html With this patch, a PIE linked executable (ET_DYN) has its own ASLR region: $ ./show_mmaps_pie 54859ccd6000-54859ccd7000 r-xp ... /tmp/show_mmaps_pie 54859ced6000-54859ced7000 r--p ... /tmp/show_mmaps_pie 54859ced7000-54859ced8000 rw-p ... /tmp/show_mmaps_pie 7f75be764000-7f75be91f000 r-xp ... /lib/x86_64-linux-gnu/libc.so.6 7f75be91f000-7f75beb1f000 ---p ... /lib/x86_64-linux-gnu/libc.so.6 7f75beb1f000-7f75beb23000 r--p ... /lib/x86_64-linux-gnu/libc.so.6 7f75beb23000-7f75beb25000 rw-p ... /lib/x86_64-linux-gnu/libc.so.6 7f75beb25000-7f75beb2a000 rw-p ... 7f75beb2a000-7f75beb4d000 r-xp ... /lib64/ld-linux-x86-64.so.2 7f75bed45000-7f75bed46000 rw-p ... 7f75bed46000-7f75bed47000 r-xp ... 7f75bed47000-7f75bed4c000 rw-p ... 7f75bed4c000-7f75bed4d000 r--p ... /lib64/ld-linux-x86-64.so.2 7f75bed4d000-7f75bed4e000 rw-p ... /lib64/ld-linux-x86-64.so.2 7f75bed4e000-7f75bed4f000 rw-p ... 7fffb3741000-7fffb3762000 rw-p ... [stack] 7fffb377b000-7fffb377d000 r--p ... [vvar] 7fffb377d000-7fffb377f000 r-xp ... [vdso] The change is to add a call the newly created arch_mmap_rnd() into the ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR, as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE, which is no longer needed. Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Reported-by: Hector Marco-Gisbert <hecmargi@xxxxxx> Cc: Russell King <linux@xxxxxxxxxxxxxxxx> Cc: Ingo Molnar <mingo@xxxxxxxxxx> Cc: Catalin Marinas <catalin.marinas@xxxxxxx> Cc: Will Deacon <will.deacon@xxxxxxx> Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx> Cc: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx> Cc: Paul Mackerras <paulus@xxxxxxxxx> Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx> Cc: Martin Schwidefsky <schwidefsky@xxxxxxxxxx> Cc: Heiko Carstens <heiko.carstens@xxxxxxxxxx> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Oleg Nesterov <oleg@xxxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx> Cc: "David A. Long" <dave.long@xxxxxxxxxx> Cc: Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx> Cc: Arun Chandran <achandran@xxxxxxxxxx> Cc: Yann Droneaud <ydroneaud@xxxxxxxxxx> Cc: Min-Hua Chen <orca.chen@xxxxxxxxx> Cc: Paul Burton <paul.burton@xxxxxxxxxx> Cc: Alex Smith <alex@xxxxxxxxxxxxxxxx> Cc: Markos Chandras <markos.chandras@xxxxxxxxxx> Cc: Vineeth Vijayan <vvijayan@xxxxxxxxxx> Cc: Jeff Bailey <jeffbailey@xxxxxxxxxx> Cc: Michael Holzheu <holzheu@xxxxxxxxxxxxxxxxxx> Cc: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Cc: Behan Webster <behanw@xxxxxxxxxxxxxxxxxx> Cc: Ismael Ripoll <iripoll@xxxxxx> Cc: Jan-Simon Mller <dl9pf@xxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- arch/arm/Kconfig | 1 - arch/arm64/Kconfig | 1 - arch/mips/Kconfig | 1 - arch/powerpc/Kconfig | 1 - arch/s390/include/asm/elf.h | 5 ++--- arch/s390/mm/mmap.c | 8 -------- arch/x86/Kconfig | 1 - fs/Kconfig.binfmt | 3 --- fs/binfmt_elf.c | 18 ++++-------------- 9 files changed, 6 insertions(+), 33 deletions(-) diff -puN arch/arm/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr arch/arm/Kconfig --- a/arch/arm/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/arm/Kconfig @@ -1,7 +1,6 @@ config ARM bool default y - select ARCH_BINFMT_ELF_RANDOMIZE_PIE select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE select ARCH_HAS_ELF_RANDOMIZE select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST diff -puN arch/arm64/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr arch/arm64/Kconfig --- a/arch/arm64/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/arm64/Kconfig @@ -1,6 +1,5 @@ config ARM64 def_bool y - select ARCH_BINFMT_ELF_RANDOMIZE_PIE select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE select ARCH_HAS_ELF_RANDOMIZE select ARCH_HAS_GCOV_PROFILE_ALL diff -puN arch/mips/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr arch/mips/Kconfig --- a/arch/mips/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/mips/Kconfig @@ -23,7 +23,6 @@ config MIPS select HAVE_KRETPROBES select HAVE_DEBUG_KMEMLEAK select HAVE_SYSCALL_TRACEPOINTS - select ARCH_BINFMT_ELF_RANDOMIZE_PIE select ARCH_HAS_ELF_RANDOMIZE select HAVE_ARCH_TRANSPARENT_HUGEPAGE if CPU_SUPPORTS_HUGEPAGES && 64BIT select RTC_LIB if !MACH_LOONGSON diff -puN arch/powerpc/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr arch/powerpc/Kconfig --- a/arch/powerpc/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/powerpc/Kconfig @@ -88,7 +88,6 @@ config PPC select ARCH_MIGHT_HAVE_PC_PARPORT select ARCH_MIGHT_HAVE_PC_SERIO select BINFMT_ELF - select ARCH_BINFMT_ELF_RANDOMIZE_PIE select ARCH_HAS_ELF_RANDOMIZE select OF select OF_EARLY_FLATTREE diff -puN arch/s390/include/asm/elf.h~mm-split-et_dyn-aslr-from-mmap-aslr arch/s390/include/asm/elf.h --- a/arch/s390/include/asm/elf.h~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/s390/include/asm/elf.h @@ -163,10 +163,9 @@ extern unsigned int vdso_enabled; the loader. We need to make sure that it is out of the way of the program that it will "exec", and that there is sufficient room for the brk. 64-bit tasks are aligned to 4GB. */ -extern unsigned long randomize_et_dyn(void); -#define ELF_ET_DYN_BASE (randomize_et_dyn() + (is_32bit_task() ? \ +#define ELF_ET_DYN_BASE (is_32bit_task() ? \ (STACK_TOP / 3 * 2) : \ - (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1))) + (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1)) /* This yields a mask that user programs can use to figure out what instruction set this CPU supports. */ diff -puN arch/s390/mm/mmap.c~mm-split-et_dyn-aslr-from-mmap-aslr arch/s390/mm/mmap.c --- a/arch/s390/mm/mmap.c~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/s390/mm/mmap.c @@ -177,14 +177,6 @@ arch_get_unmapped_area_topdown(struct fi return addr; } -unsigned long randomize_et_dyn(void) -{ - if (current->flags & PF_RANDOMIZE) - return arch_mmap_rnd(); - - return 0UL; -} - #ifndef CONFIG_64BIT /* diff -puN arch/x86/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr arch/x86/Kconfig --- a/arch/x86/Kconfig~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/arch/x86/Kconfig @@ -87,7 +87,6 @@ config X86 select HAVE_ARCH_KMEMCHECK select HAVE_ARCH_KASAN if X86_64 && SPARSEMEM_VMEMMAP select HAVE_USER_RETURN_NOTIFIER - select ARCH_BINFMT_ELF_RANDOMIZE_PIE select ARCH_HAS_ELF_RANDOMIZE select HAVE_ARCH_JUMP_LABEL select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE diff -puN fs/Kconfig.binfmt~mm-split-et_dyn-aslr-from-mmap-aslr fs/Kconfig.binfmt --- a/fs/Kconfig.binfmt~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/fs/Kconfig.binfmt @@ -27,9 +27,6 @@ config COMPAT_BINFMT_ELF bool depends on COMPAT && BINFMT_ELF -config ARCH_BINFMT_ELF_RANDOMIZE_PIE - bool - config ARCH_BINFMT_ELF_STATE bool diff -puN fs/binfmt_elf.c~mm-split-et_dyn-aslr-from-mmap-aslr fs/binfmt_elf.c --- a/fs/binfmt_elf.c~mm-split-et_dyn-aslr-from-mmap-aslr +++ a/fs/binfmt_elf.c @@ -31,6 +31,7 @@ #include <linux/security.h> #include <linux/random.h> #include <linux/elf.h> +#include <linux/elf-randomize.h> #include <linux/utsname.h> #include <linux/coredump.h> #include <linux/sched.h> @@ -909,21 +910,10 @@ static int load_elf_binary(struct linux_ * default mmap base, as well as whatever program they * might try to exec. This is because the brk will * follow the loader, and is not movable. */ -#ifdef CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE - /* Memory randomization might have been switched off - * in runtime via sysctl or explicit setting of - * personality flags. - * If that is the case, retain the original non-zero - * load_bias value in order to establish proper - * non-randomized mappings. - */ + load_bias = ELF_ET_DYN_BASE - vaddr; if (current->flags & PF_RANDOMIZE) - load_bias = 0; - else - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); -#else - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); -#endif + load_bias += arch_mmap_rnd(); + load_bias = ELF_PAGESTART(load_bias); } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, _ Patches currently in -mm which might be from keescook@xxxxxxxxxxxx are arm-factor-out-mmap-aslr-into-mmap_rnd.patch x86-standardize-mmap_rnd-usage.patch arm64-standardize-mmap_rnd-usage.patch mips-extract-logic-for-mmap_rnd.patch powerpc-standardize-mmap_rnd-usage.patch s390-standardize-mmap_rnd-usage.patch mm-expose-arch_mmap_rnd-when-available.patch s390-redefine-randomize_et_dyn-for-elf_et_dyn_base.patch mm-split-et_dyn-aslr-from-mmap-aslr.patch mm-fold-arch_randomize_brk-into-arch_has_elf_randomize.patch lib-vsprintf-add-%pt-format-specifier.patch linux-next.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html