[linux] 01/02: Add fix for CVE-2016-3672
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Apr 30 17:57:41 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit c3388eef62c30bc684ec489fb540c089122fa720
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Apr 30 19:40:16 2016 +0200
Add fix for CVE-2016-3672
---
debian/changelog | 2 +
...ble-full-randomization-on-i386-and-x86_32.patch | 79 ++++++++++++++++
.../x86/x86-standardize-mmap_rnd-usage.patch | 101 +++++++++++++++++++++
debian/patches/series | 2 +
4 files changed, 184 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c4338a7..7069151 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ linux (3.2.78-1+deb7u1) UNRELEASED; urgency=medium
* include/linux/poison.h: fix LIST_POISON{1,2} offset (CVE-2016-0821)
* [s390*] mm: four page table levels vs. fork (CVE-2016-2143)
* [amd64] iopl: Properly context-switch IOPL on Xen PV (CVE-2016-3157)
+ * [x86] standardize mmap_rnd() usage
+ * [x86] mm/32: Enable full randomization on i386 and X86_32 (CVE-2016-3672)
[ Salvatore Bonaccorso ]
* [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch b/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
new file mode 100644
index 0000000..142ca5d
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
@@ -0,0 +1,79 @@
+From: Hector Marco-Gisbert <hecmargi at upv.es>
+Date: Thu, 10 Mar 2016 20:51:00 +0100
+Subject: x86/mm/32: Enable full randomization on i386 and X86_32
+Origin: https://git.kernel.org/linus/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
+
+Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
+the stack and the executable are randomized but not other mmapped files
+(libraries, vDSO, etc.). This patch enables randomization for the
+libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
+
+By default on i386 there are 8 bits for the randomization of the libraries,
+vDSO and mmaps which only uses 1MB of VA.
+
+This patch preserves the original randomness, using 1MB of VA out of 3GB or
+4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
+
+The first obvious security benefit is that all objects are randomized (not
+only the stack and the executable) in legacy mode which highly increases
+the ASLR effectiveness, otherwise the attackers may use these
+non-randomized areas. But also sensitive setuid/setgid applications are
+more secure because currently, attackers can disable the randomization of
+these applications by setting the ulimit stack to "unlimited". This is a
+very old and widely known trick to disable the ASLR in i386 which has been
+allowed for too long.
+
+Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
+personality flag, but fortunately this doesn't work on setuid/setgid
+applications because there is security checks which clear Security-relevant
+flags.
+
+This patch always randomizes the mmap_legacy_base address, removing the
+possibility to disable the ASLR by setting the stack to "unlimited".
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi at upv.es>
+Acked-by: Ismael Ripoll Ripoll <iripoll at upv.es>
+Acked-by: Kees Cook <keescook at chromium.org>
+Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: akpm at linux-foundation.org
+Cc: kees Cook <keescook at chromium.org>
+Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/mm/mmap.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned
+ }
+
+ /*
+- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
+- * does, but not when emulating X86_32
+- */
+-static unsigned long mmap_legacy_base(unsigned long rnd)
+-{
+- if (mmap_is_ia32())
+- return TASK_UNMAPPED_BASE;
+- else
+- return TASK_UNMAPPED_BASE + rnd;
+-}
+-
+-/*
+ * This function, called very early during the creation of a new
+ * process VM image, sets up which VM layout function to use:
+ */
+@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_str
+ if (current->flags & PF_RANDOMIZE)
+ random_factor = mmap_rnd();
+
+- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
++ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = mm->mmap_legacy_base;
diff --git a/debian/patches/bugfix/x86/x86-standardize-mmap_rnd-usage.patch b/debian/patches/bugfix/x86/x86-standardize-mmap_rnd-usage.patch
new file mode 100644
index 0000000..8b9653a
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-standardize-mmap_rnd-usage.patch
@@ -0,0 +1,101 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:45 -0700
+Subject: x86: standardize mmap_rnd() usage
+Origin: https://git.kernel.org/linus/82168140bc4cec7ec9bad39705518541149ff8b7
+
+In preparation for splitting out ET_DYN ASLR, this refactors the use of
+mmap_rnd() to be used similarly to arm, and extracts the checking of
+PF_RANDOMIZE.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/mm/mmap.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -67,22 +67,21 @@ static int mmap_is_legacy(void)
+
+ static unsigned long mmap_rnd(void)
+ {
+- unsigned long rnd = 0;
++ unsigned long rnd;
+
+ /*
+- * 8 bits of randomness in 32bit mmaps, 20 address space bits
+- * 28 bits of randomness in 64bit mmaps, 40 address space bits
+- */
+- if (current->flags & PF_RANDOMIZE) {
+- if (mmap_is_ia32())
+- rnd = get_random_int() % (1<<8);
+- else
+- rnd = get_random_int() % (1<<28);
+- }
++ * 8 bits of randomness in 32bit mmaps, 20 address space bits
++ * 28 bits of randomness in 64bit mmaps, 40 address space bits
++ */
++ if (mmap_is_ia32())
++ rnd = (unsigned long)get_random_int() % (1<<8);
++ else
++ rnd = (unsigned long)get_random_int() % (1<<28);
++
+ return rnd << PAGE_SHIFT;
+ }
+
+-static unsigned long mmap_base(void)
++static unsigned long mmap_base(unsigned long rnd)
+ {
+ unsigned long gap = rlimit(RLIMIT_STACK);
+
+@@ -91,19 +90,19 @@ static unsigned long mmap_base(void)
+ else if (gap > MAX_GAP)
+ gap = MAX_GAP;
+
+- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
++ return PAGE_ALIGN(TASK_SIZE - gap - rnd);
+ }
+
+ /*
+ * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
+ * does, but not when emulating X86_32
+ */
+-static unsigned long mmap_legacy_base(void)
++static unsigned long mmap_legacy_base(unsigned long rnd)
+ {
+ if (mmap_is_ia32())
+ return TASK_UNMAPPED_BASE;
+ else
+- return TASK_UNMAPPED_BASE + mmap_rnd();
++ return TASK_UNMAPPED_BASE + rnd;
+ }
+
+ /*
+@@ -112,14 +111,19 @@ static unsigned long mmap_legacy_base(vo
+ */
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
+- mm->mmap_legacy_base = mmap_legacy_base();
+- mm->mmap_base = mmap_base();
++ unsigned long random_factor = 0UL;
++
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
++
++ mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = mm->mmap_legacy_base;
+ mm->get_unmapped_area = arch_get_unmapped_area;
+ mm->unmap_area = arch_unmap_area;
+ } else {
++ mm->mmap_base = mmap_base(random_factor);
+ mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+ mm->unmap_area = arch_unmap_area_topdown;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 88ea968..9810527 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1174,3 +1174,5 @@ bugfix/all/include-linux-poison.h-fix-list_poison-1-2-offset.patch
bugfix/s390/s390-mm-four-page-table-levels-vs.-fork.patch
bugfix/x86/x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch
bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch
+bugfix/x86/x86-standardize-mmap_rnd-usage.patch
+bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_32.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list