mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes

Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000 broke AddressSanitizer. This is a partial revert of: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") The AddressSanitizer tool has hard-coded expectations about where executable mappings are loaded. The motivation for changing the PIE base in the above commits was to avoid the Stack-Clash CVEs that allowed executable mappings to get too close to heap and stack. This was mainly a problem on 32-bit, but the 64-bit bases were moved too, in an effort to proactively protect those systems (proofs of concept do exist that show 64-bit collisions, but other recent changes to fix stack accounting and setuid behaviors will minimize the impact). The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC base), so only the 64-bit PIE base needs to be reverted to let x86 and arm64 ASan binaries run again. Future changes to the 64-bit PIE base on these architectures can be made optional once a more dynamic method for dealing with AddressSanitizer is found. (e.g. always loading PIE into the mmap region for marked binaries.) Link: http://lkml.kernel.org/r/20170807201542.GA21271@beast Fixes: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") Fixes: 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Kostya Serebryany <kcc@google.com> Acked-by: Will Deacon <will.deacon@arm.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Kees Cook <keescook@chromium.org> 2017-08-18 18:16:31 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-08-18 18:32:02 -0400
commit: c715b72c1ba406f133217b509044c38d8e714a37 (patch)
tree: 0b8b674d1aada4584cf33d48bd9c75576a21a327
parent: 704b862f9efd6d4c87a8d0a344dda19bda9c6b69 (diff)
2 files changed, 4 insertions, 4 deletions
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index acae781f7359..3288c2b36731 100644
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -114,10 +114,10 @@
 /*
 * This is the base location for PIE (ET_DYN with INTERP) loads. On
- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * 64-bit, this is above 4GB to leave the entire 32-bit address
 * space open for things that want to use the area for 32-bit pointers.
 */
-#define ELF_ET_DYN_BASE         0x100000000UL
+#define ELF_ET_DYN_BASE         (2 * TASK_SIZE_64 / 3)
 #ifndef __ASSEMBLY__
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 1c18d83d3f09..9aeb91935ce0 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -247,11 +247,11 @@ extern int force_personality32;
 /*
 * This is the base location for PIE (ET_DYN with INTERP) loads. On
- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * 64-bit, this is above 4GB to leave the entire 32-bit address
 * space open for things that want to use the area for 32-bit pointers.
 */
 #define ELF_ET_DYN_BASE         (mmap_is_ia32() ? 0x000400000UL : \
-                                                  0x100000000UL)
+                                                  (TASK_SIZE / 3 * 2))
 /* This yields a mask that user programs can use to figure out what
   instruction set this CPU supports.  This could be done in user space,
author	Kees Cook <keescook@chromium.org>	2017-08-18 18:16:31 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-08-18 18:32:02 -0400
commit	c715b72c1ba406f133217b509044c38d8e714a37 (patch)
tree	0b8b674d1aada4584cf33d48bd9c75576a21a327
parent	704b862f9efd6d4c87a8d0a344dda19bda9c6b69 (diff)

diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index acae781f7359..3288c2b36731 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h
@@ -114,10 +114,10 @@
114		114
115	/*	115	/*
116	* This is the base location for PIE (ET_DYN with INTERP) loads. On	116	* This is the base location for PIE (ET_DYN with INTERP) loads. On
117	* 64-bit, this is raised to 4GB to leave the entire 32-bit address	117	* 64-bit, this is above 4GB to leave the entire 32-bit address
118	* space open for things that want to use the area for 32-bit pointers.	118	* space open for things that want to use the area for 32-bit pointers.
119	*/	119	*/
120	#define ELF_ET_DYN_BASE 0x100000000UL	120	#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
121		121
122	#ifndef __ASSEMBLY__	122	#ifndef __ASSEMBLY__
123		123


diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 1c18d83d3f09..9aeb91935ce0 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h
@@ -247,11 +247,11 @@ extern int force_personality32;
247		247
248	/*	248	/*
249	* This is the base location for PIE (ET_DYN with INTERP) loads. On	249	* This is the base location for PIE (ET_DYN with INTERP) loads. On
250	* 64-bit, this is raised to 4GB to leave the entire 32-bit address	250	* 64-bit, this is above 4GB to leave the entire 32-bit address
251	* space open for things that want to use the area for 32-bit pointers.	251	* space open for things that want to use the area for 32-bit pointers.
252	*/	252	*/
253	#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \	253	#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
254	0x100000000UL)	254	(TASK_SIZE / 3 * 2))
255		255
256	/* This yields a mask that user programs can use to figure out what	256	/* This yields a mask that user programs can use to figure out what
257	instruction set this CPU supports. This could be done in user space,	257	instruction set this CPU supports. This could be done in user space,