[linux] 01/02: Add fix for CVE-2016-3672

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Apr 30 17:57:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit c3388eef62c30bc684ec489fb540c089122fa720
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Apr 30 19:40:16 2016 +0200

    Add fix for CVE-2016-3672
---
 debian/changelog                                   |   2 +
 ...ble-full-randomization-on-i386-and-x86_32.patch |  79 ++++++++++++++++
 .../x86/x86-standardize-mmap_rnd-usage.patch       | 101 +++++++++++++++++++++
 debian/patches/series                              |   2 +
 4 files changed, 184 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c4338a7..7069151 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ linux (3.2.78-1+deb7u1) UNRELEASED; urgency=medium
   * include/linux/poison.h: fix LIST_POISON{1,2} offset (CVE-2016-0821)
   * [s390*] mm: four page table levels vs. fork (CVE-2016-2143)
   * [amd64] iopl: Properly context-switch IOPL on Xen PV (CVE-2016-3157)
+  * [x86] standardize mmap_rnd() usage
+  * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
 
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch b/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
new file mode 100644
index 0000000..142ca5d
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
@@ -0,0 +1,79 @@
+From: Hector Marco-Gisbert <hecmargi at upv.es>
+Date: Thu, 10 Mar 2016 20:51:00 +0100
+Subject: x86/mm/32: Enable full randomization on i386 and X86_32
+Origin: https://git.kernel.org/linus/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
+
+Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
+the stack and the executable are randomized but not other mmapped files
+(libraries, vDSO, etc.). This patch enables randomization for the
+libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
+
+By default on i386 there are 8 bits for the randomization of the libraries,
+vDSO and mmaps which only uses 1MB of VA.
+
+This patch preserves the original randomness, using 1MB of VA out of 3GB or
+4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
+
+The first obvious security benefit is that all objects are randomized (not
+only the stack and the executable) in legacy mode which highly increases
+the ASLR effectiveness, otherwise the attackers may use these
+non-randomized areas. But also sensitive setuid/setgid applications are
+more secure because currently, attackers can disable the randomization of
+these applications by setting the ulimit stack to "unlimited". This is a
+very old and widely known trick to disable the ASLR in i386 which has been
+allowed for too long.
+
+Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
+personality flag, but fortunately this doesn't work on setuid/setgid
+applications because there is security checks which clear Security-relevant
+flags.
+
+This patch always randomizes the mmap_legacy_base address, removing the
+possibility to disable the ASLR by setting the stack to "unlimited".
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi at upv.es>
+Acked-by: Ismael Ripoll Ripoll <iripoll at upv.es>
+Acked-by: Kees Cook <keescook at chromium.org>
+Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: akpm at linux-foundation.org
+Cc: kees Cook <keescook at chromium.org>
+Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/mm/mmap.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned
+ }
+ 
+ /*
+- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
+- * does, but not when emulating X86_32
+- */
+-static unsigned long mmap_legacy_base(unsigned long rnd)
+-{
+-	if (mmap_is_ia32())
+-		return TASK_UNMAPPED_BASE;
+-	else
+-		return TASK_UNMAPPED_BASE + rnd;
+-}
+-
+-/*
+  * This function, called very early during the creation of a new
+  * process VM image, sets up which VM layout function to use:
+  */
+@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_str
+ 	if (current->flags & PF_RANDOMIZE)
+ 		random_factor = mmap_rnd();
+ 
+-	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
++	mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
+ 
+ 	if (mmap_is_legacy()) {
+ 		mm->mmap_base = mm->mmap_legacy_base;
diff --git a/debian/patches/bugfix/x86/x86-standardize-mmap_rnd-usage.patch b/debian/patches/bugfix/x86/x86-standardize-mmap_rnd-usage.patch
new file mode 100644
index 0000000..8b9653a
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-standardize-mmap_rnd-usage.patch
@@ -0,0 +1,101 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:45 -0700
+Subject: x86: standardize mmap_rnd() usage
+Origin: https://git.kernel.org/linus/82168140bc4cec7ec9bad39705518541149ff8b7
+
+In preparation for splitting out ET_DYN ASLR, this refactors the use of
+mmap_rnd() to be used similarly to arm, and extracts the checking of
+PF_RANDOMIZE.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/mm/mmap.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -67,22 +67,21 @@ static int mmap_is_legacy(void)
+ 
+ static unsigned long mmap_rnd(void)
+ {
+-	unsigned long rnd = 0;
++	unsigned long rnd;
+ 
+ 	/*
+-	*  8 bits of randomness in 32bit mmaps, 20 address space bits
+-	* 28 bits of randomness in 64bit mmaps, 40 address space bits
+-	*/
+-	if (current->flags & PF_RANDOMIZE) {
+-		if (mmap_is_ia32())
+-			rnd = get_random_int() % (1<<8);
+-		else
+-			rnd = get_random_int() % (1<<28);
+-	}
++	 *  8 bits of randomness in 32bit mmaps, 20 address space bits
++	 * 28 bits of randomness in 64bit mmaps, 40 address space bits
++	 */
++	if (mmap_is_ia32())
++		rnd = (unsigned long)get_random_int() % (1<<8);
++	else
++		rnd = (unsigned long)get_random_int() % (1<<28);
++
+ 	return rnd << PAGE_SHIFT;
+ }
+ 
+-static unsigned long mmap_base(void)
++static unsigned long mmap_base(unsigned long rnd)
+ {
+ 	unsigned long gap = rlimit(RLIMIT_STACK);
+ 
+@@ -91,19 +90,19 @@ static unsigned long mmap_base(void)
+ 	else if (gap > MAX_GAP)
+ 		gap = MAX_GAP;
+ 
+-	return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
++	return PAGE_ALIGN(TASK_SIZE - gap - rnd);
+ }
+ 
+ /*
+  * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
+  * does, but not when emulating X86_32
+  */
+-static unsigned long mmap_legacy_base(void)
++static unsigned long mmap_legacy_base(unsigned long rnd)
+ {
+ 	if (mmap_is_ia32())
+ 		return TASK_UNMAPPED_BASE;
+ 	else
+-		return TASK_UNMAPPED_BASE + mmap_rnd();
++		return TASK_UNMAPPED_BASE + rnd;
+ }
+ 
+ /*
+@@ -112,14 +111,19 @@ static unsigned long mmap_legacy_base(vo
+  */
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
+-	mm->mmap_legacy_base = mmap_legacy_base();
+-	mm->mmap_base = mmap_base();
++	unsigned long random_factor = 0UL;
++
++	if (current->flags & PF_RANDOMIZE)
++		random_factor = mmap_rnd();
++
++	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+ 
+ 	if (mmap_is_legacy()) {
+ 		mm->mmap_base = mm->mmap_legacy_base;
+ 		mm->get_unmapped_area = arch_get_unmapped_area;
+ 		mm->unmap_area = arch_unmap_area;
+ 	} else {
++		mm->mmap_base = mmap_base(random_factor);
+ 		mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+ 		mm->unmap_area = arch_unmap_area_topdown;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 88ea968..9810527 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1174,3 +1174,5 @@ bugfix/all/include-linux-poison.h-fix-list_poison-1-2-offset.patch
 bugfix/s390/s390-mm-four-page-table-levels-vs.-fork.patch
 bugfix/x86/x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch
 bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch
+bugfix/x86/x86-standardize-mmap_rnd-usage.patch
+bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list