[linux] 04/04: [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 13 20:27:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit aac56d95723edd7bf6401dc6708b2e170552c2f3
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 13 21:25:22 2016 +0100

    [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
---
 debian/changelog                                   |  1 +
 ...nable-full-randomization-on-i386-and-x86_.patch | 80 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 82 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 094c951..931d898 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -238,6 +238,7 @@ linux (4.5.1-1) UNRELEASED; urgency=medium
     - validate e->target_offset early
     - make sure e->next_offset covers remaining blob size
   * ipv4: Don't do expensive useless work during inetdev destroy (CVE-2016-3156)
+  * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
 
   [ Aurelien Jarno ]
   * [mipsel/mips/config.loongson-2f] Disable VIDEO_CX23885, VIDEO_IVTV,
diff --git a/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch b/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
new file mode 100644
index 0000000..8520d38
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
@@ -0,0 +1,80 @@
+From: Hector Marco-Gisbert <hecmargi at upv.es>
+Date: Thu, 10 Mar 2016 20:51:00 +0100
+Subject: x86/mm/32: Enable full randomization on i386 and X86_32
+Origin: https://git.kernel.org/linus/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
+
+Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
+the stack and the executable are randomized but not other mmapped files
+(libraries, vDSO, etc.). This patch enables randomization for the
+libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
+
+By default on i386 there are 8 bits for the randomization of the libraries,
+vDSO and mmaps which only uses 1MB of VA.
+
+This patch preserves the original randomness, using 1MB of VA out of 3GB or
+4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
+
+The first obvious security benefit is that all objects are randomized (not
+only the stack and the executable) in legacy mode which highly increases
+the ASLR effectiveness, otherwise the attackers may use these
+non-randomized areas. But also sensitive setuid/setgid applications are
+more secure because currently, attackers can disable the randomization of
+these applications by setting the ulimit stack to "unlimited". This is a
+very old and widely known trick to disable the ASLR in i386 which has been
+allowed for too long.
+
+Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
+personality flag, but fortunately this doesn't work on setuid/setgid
+applications because there is security checks which clear Security-relevant
+flags.
+
+This patch always randomizes the mmap_legacy_base address, removing the
+possibility to disable the ASLR by setting the stack to "unlimited".
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi at upv.es>
+Acked-by: Ismael Ripoll Ripoll <iripoll at upv.es>
+Acked-by: Kees Cook <keescook at chromium.org>
+Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: akpm at linux-foundation.org
+Cc: kees Cook <keescook at chromium.org>
+Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ arch/x86/mm/mmap.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
+index 96bd1e2bffaf..389939f74dd5 100644
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
+ }
+ 
+ /*
+- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
+- * does, but not when emulating X86_32
+- */
+-static unsigned long mmap_legacy_base(unsigned long rnd)
+-{
+-	if (mmap_is_ia32())
+-		return TASK_UNMAPPED_BASE;
+-	else
+-		return TASK_UNMAPPED_BASE + rnd;
+-}
+-
+-/*
+  * This function, called very early during the creation of a new
+  * process VM image, sets up which VM layout function to use:
+  */
+@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+ 	if (current->flags & PF_RANDOMIZE)
+ 		random_factor = arch_mmap_rnd();
+ 
+-	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
++	mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
+ 
+ 	if (mmap_is_legacy()) {
+ 		mm->mmap_base = mm->mmap_legacy_base;
diff --git a/debian/patches/series b/debian/patches/series
index 7a725df..6a172db 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -141,3 +141,4 @@ bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
 bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
 bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch
 bugfix/all/ipv4-don-t-do-expensive-useless-work-during-inetdev-.patch
+bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list