aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2017-08-18 18:16:31 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2017-08-18 18:32:02 -0400
commitc715b72c1ba406f133217b509044c38d8e714a37 (patch)
tree0b8b674d1aada4584cf33d48bd9c75576a21a327
parent704b862f9efd6d4c87a8d0a344dda19bda9c6b69 (diff)
mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000 broke AddressSanitizer. This is a partial revert of: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") The AddressSanitizer tool has hard-coded expectations about where executable mappings are loaded. The motivation for changing the PIE base in the above commits was to avoid the Stack-Clash CVEs that allowed executable mappings to get too close to heap and stack. This was mainly a problem on 32-bit, but the 64-bit bases were moved too, in an effort to proactively protect those systems (proofs of concept do exist that show 64-bit collisions, but other recent changes to fix stack accounting and setuid behaviors will minimize the impact). The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC base), so only the 64-bit PIE base needs to be reverted to let x86 and arm64 ASan binaries run again. Future changes to the 64-bit PIE base on these architectures can be made optional once a more dynamic method for dealing with AddressSanitizer is found. (e.g. always loading PIE into the mmap region for marked binaries.) Link: http://lkml.kernel.org/r/20170807201542.GA21271@beast Fixes: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") Fixes: 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Kostya Serebryany <kcc@google.com> Acked-by: Will Deacon <will.deacon@arm.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--arch/arm64/include/asm/elf.h4
-rw-r--r--arch/x86/include/asm/elf.h4
2 files changed, 4 insertions, 4 deletions
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index acae781f7359..3288c2b36731 100644
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -114,10 +114,10 @@
114 114
115/* 115/*
116 * This is the base location for PIE (ET_DYN with INTERP) loads. On 116 * This is the base location for PIE (ET_DYN with INTERP) loads. On
117 * 64-bit, this is raised to 4GB to leave the entire 32-bit address 117 * 64-bit, this is above 4GB to leave the entire 32-bit address
118 * space open for things that want to use the area for 32-bit pointers. 118 * space open for things that want to use the area for 32-bit pointers.
119 */ 119 */
120#define ELF_ET_DYN_BASE 0x100000000UL 120#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
121 121
122#ifndef __ASSEMBLY__ 122#ifndef __ASSEMBLY__
123 123
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 1c18d83d3f09..9aeb91935ce0 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -247,11 +247,11 @@ extern int force_personality32;
247 247
248/* 248/*
249 * This is the base location for PIE (ET_DYN with INTERP) loads. On 249 * This is the base location for PIE (ET_DYN with INTERP) loads. On
250 * 64-bit, this is raised to 4GB to leave the entire 32-bit address 250 * 64-bit, this is above 4GB to leave the entire 32-bit address
251 * space open for things that want to use the area for 32-bit pointers. 251 * space open for things that want to use the area for 32-bit pointers.
252 */ 252 */
253#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ 253#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
254 0x100000000UL) 254 (TASK_SIZE / 3 * 2))
255 255
256/* This yields a mask that user programs can use to figure out what 256/* This yields a mask that user programs can use to figure out what
257 instruction set this CPU supports. This could be done in user space, 257 instruction set this CPU supports. This could be done in user space,