x86: PIE executable randomization

main executable of (specially compiled/linked -pie/-fpie) ET_DYN binaries
onto a random address (in cases in which mmap() is allowed to perform a
randomization).

The code has been extraced from Ingo's exec-shield patch
http://people.redhat.com/mingo/exec-shield/

[akpm@linux-foundation.org: fix used-uninitialsied warning]
[kamezawa.hiroyu@jp.fujitsu.com: fixed ia32 ELF on x86_64 handling]

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Arjan van de Ven <arjan@infradead.org>
Cc: Roland McGrath <roland@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: "Luck, Tony" <tony.luck@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

1 files changed, 98 insertions, 0 deletions

diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index 907942ee6e76..95485e63fd2f 100644
--- a/arch/x86/kernel/sys_x86_64.c
+++ b/arch/x86/kernel/sys_x86_64.c
@@ -12,6 +12,7 @@
 #include <linux/file.h>
 #include <linux/utsname.h>
 #include <linux/personality.h>
+#include <linux/random.h>
 
 #include <asm/uaccess.h>
 #include <asm/ia32.h>
@@ -65,6 +66,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
                            unsigned long *end)
 {
         if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
+                unsigned long new_begin;
                 /* This is usually used needed to map code in small
                    model, so it needs to be in the first 31bit. Limit
                    it to that.  This means we need to move the
@@ -74,6 +76,11 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
                    of playground for now. -AK */ 
                 *begin = 0x40000000; 
                 *end = 0x80000000;              
+                if (current->flags & PF_RANDOMIZE) {
+                        new_begin = randomize_range(*begin, *begin + 0x02000000, 0);
+                        if (new_begin)
+                                *begin = new_begin;
+                }
         } else {
                 *begin = TASK_UNMAPPED_BASE;
                 *end = TASK_SIZE; 
@@ -143,6 +150,97 @@ full_search:
         }
 }
 
+
+unsigned long
+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+                          const unsigned long len, const unsigned long pgoff,
+                          const unsigned long flags)
+{
+        struct vm_area_struct *vma;
+        struct mm_struct *mm = current->mm;
+        unsigned long addr = addr0;
+
+        /* requested length too big for entire address space */
+        if (len > TASK_SIZE)
+                return -ENOMEM;
+
+        if (flags & MAP_FIXED)
+                return addr;
+
+        /* for MAP_32BIT mappings we force the legact mmap base */
+        if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
+                goto bottomup;
+
+        /* requesting a specific address */
+        if (addr) {
+                addr = PAGE_ALIGN(addr);
+                vma = find_vma(mm, addr);
+                if (TASK_SIZE - len >= addr &&
+                                (!vma || addr + len <= vma->vm_start))
+                        return addr;
+        }
+
+        /* check if free_area_cache is useful for us */
+        if (len <= mm->cached_hole_size) {
+                mm->cached_hole_size = 0;
+                mm->free_area_cache = mm->mmap_base;
+        }
+
+        /* either no address requested or can't fit in requested address hole */
+        addr = mm->free_area_cache;
+
+        /* make sure it can fit in the remaining address space */
+        if (addr > len) {
+                vma = find_vma(mm, addr-len);
+                if (!vma || addr <= vma->vm_start)
+                        /* remember the address as a hint for next time */
+                        return (mm->free_area_cache = addr-len);
+        }
+
+        if (mm->mmap_base < len)
+                goto bottomup;
+
+        addr = mm->mmap_base-len;
+
+        do {
+                /*
+                 * Lookup failure means no vma is above this address,
+                 * else if new region fits below vma->vm_start,
+                 * return with success:
+                 */
+                vma = find_vma(mm, addr);
+                if (!vma || addr+len <= vma->vm_start)
+                        /* remember the address as a hint for next time */
+                        return (mm->free_area_cache = addr);
+
+                /* remember the largest hole we saw so far */
+                if (addr + mm->cached_hole_size < vma->vm_start)
+                        mm->cached_hole_size = vma->vm_start - addr;
+
+                /* try just below the current vma->vm_start */
+                addr = vma->vm_start-len;
+        } while (len < vma->vm_start);
+
+bottomup:
+        /*
+         * A failed mmap() very likely causes application failure,
+         * so fall back to the bottom-up function here. This scenario
+         * can happen with large stack limits and large mmap()
+         * allocations.
+         */
+        mm->cached_hole_size = ~0UL;
+        mm->free_area_cache = TASK_UNMAPPED_BASE;
+        addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
+        /*
+         * Restore the topdown base:
+         */
+        mm->free_area_cache = mm->mmap_base;
+        mm->cached_hole_size = ~0UL;
+
+        return addr;
+}
+
+
 asmlinkage long sys_uname(struct new_utsname __user * name)
 {
         int err;