[linux] 01/01: mm: Make PIE address randomisation independent of mmap (Closes: #797530)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 19 02:40:56 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 0ea404f8677e79ec07fe869ac5d43399a63a0baf
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Apr 18 05:42:15 2017 +0100
mm: Make PIE address randomisation independent of mmap (Closes: #797530)
Backport Kees Cook's commit series that makes the ELF loader randomise
the base address for PIEs itself rather than letting mmap() do it.
This has two main effects:
- Increases the amount of memory that can be allocated with brk() by
PIEs on 32-bit architectures (see bug #797530)
- Fixes the offset2lib vulnerability (predictable offset from PIE
to shared libraries)
It also fixes some cases where PIE addresses were wrongly being
randomised or not randomised on some architectures.
---
debian/changelog | 13 +
.../arm-factor-out-mmap-aslr-into-mmap_rnd.patch | 95 +++++++
...don-t-randomise-text-when-randomise_va_sp.patch | 63 +++++
.../arm64-standardize-mmap_rnd-usage.patch | 86 +++++++
.../pie-aslr/mips-extract-logic-for-mmap_rnd.patch | 55 ++++
.../mm-expose-arch_mmap_rnd-when-available.patch | 277 +++++++++++++++++++++
...h_randomize_brk-into-arch_has_elf_randomi.patch | 184 ++++++++++++++
.../mm-split-et_dyn-aslr-from-mmap-aslr.patch | 214 ++++++++++++++++
.../powerpc-standardize-mmap_rnd-usage.patch | 83 ++++++
.../powerpc-use-generic-pie-randomization.patch | 101 ++++++++
...mize_et_dyn-to-take-void-and-use-mmap_rnd.patch | 57 +++++
...fine-randomize_et_dyn-for-elf_et_dyn_base.patch | 49 ++++
.../pie-aslr/s390-standardize-mmap_rnd-usage.patch | 113 +++++++++
debian/patches/series | 14 ++
14 files changed, 1404 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index db71ae2..086790d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -581,6 +581,19 @@ linux (3.16.43-1) UNRELEASED; urgency=medium
(mitigates CVE-2015-8952)
* [powerpc/powerpc64,ppc64*] Enable SCSI_IBMVFC as module (Closes: #859523)
- udeb: Add ibmvfc to scsi-modules
+ * mm: Make PIE address randomisation independent of mmap (Closes: #797530)
+ - [armel,armhf] factor out mmap ASLR into mmap_rnd
+ - [arm64] ASLR: Don't randomise text when randomise_va_space == 0
+ - [arm64] standardize mmap_rnd() usage
+ - [mips*] extract logic for mmap_rnd()
+ - [powerpc*] Use generic PIE randomization
+ - [powerpc*] standardize mmap_rnd() usage
+ - [s390*] Change randomize_et_dyn() to take void and use mmap_rnd()
+ - [s390*] standardize mmap_rnd() usage
+ - mm: expose arch_mmap_rnd when available
+ - [s390*] redefine randomize_et_dyn for ELF_ET_DYN_BASE
+ - mm: split ET_DYN ASLR from mmap ASLR
+ - mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE
[ Salvatore Bonaccorso ]
* sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/patches/bugfix/all/pie-aslr/arm-factor-out-mmap-aslr-into-mmap_rnd.patch b/debian/patches/bugfix/all/pie-aslr/arm-factor-out-mmap-aslr-into-mmap_rnd.patch
new file mode 100644
index 0000000..b266db0
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/arm-factor-out-mmap-aslr-into-mmap_rnd.patch
@@ -0,0 +1,95 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:41 -0700
+Subject: arm: factor out mmap ASLR into mmap_rnd
+Origin: https://git.kernel.org/linus/fbbc400f3924ce095b466c776dc294727ec0a202
+Bug-Debian: https://bugs.debian.org/797530
+
+To address the "offset2lib" ASLR weakness[1], this separates ET_DYN ASLR
+from mmap ASLR, as already done on s390. The architectures that are
+already randomizing mmap (arm, arm64, mips, powerpc, s390, and x86), have
+their various forms of arch_mmap_rnd() made available via the new
+CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these architectures,
+arch_randomize_brk() is collapsed as well.
+
+This is an alternative to the solutions in:
+https://lkml.org/lkml/2015/2/23/442
+
+I've been able to test x86 and arm, and the buildbot (so far) seems happy
+with building the rest.
+
+[1] http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
+
+This patch (of 10):
+
+In preparation for splitting out ET_DYN ASLR, this moves the ASLR
+calculations for mmap on ARM into a separate routine, similar to x86.
+This also removes the redundant check of personality (PF_RANDOMIZE is
+already set before calling arch_pick_mmap_layout).
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Hector Marco-Gisbert <hecmargi at upv.es>
+Cc: Russell King <linux at arm.linux.org.uk>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Catalin Marinas <catalin.marinas at arm.com>
+Cc: Will Deacon <will.deacon at arm.com>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Michael Ellerman <mpe at ellerman.id.au>
+Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Alexander Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: "David A. Long" <dave.long at linaro.org>
+Cc: Andrey Ryabinin <a.ryabinin at samsung.com>
+Cc: Arun Chandran <achandran at mvista.com>
+Cc: Yann Droneaud <ydroneaud at opteya.com>
+Cc: Min-Hua Chen <orca.chen at gmail.com>
+Cc: Paul Burton <paul.burton at imgtec.com>
+Cc: Alex Smith <alex at alex-smith.me.uk>
+Cc: Markos Chandras <markos.chandras at imgtec.com>
+Cc: Vineeth Vijayan <vvijayan at mvista.com>
+Cc: Jeff Bailey <jeffbailey at google.com>
+Cc: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: Behan Webster <behanw at converseincode.com>
+Cc: Ismael Ripoll <iripoll at upv.es>
+Cc: Jan-Simon Mller <dl9pf at gmx.de>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ arch/arm/mm/mmap.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
+index 5e85ed371364..15a8160096b3 100644
+--- a/arch/arm/mm/mmap.c
++++ b/arch/arm/mm/mmap.c
+@@ -169,14 +169,22 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+ return addr;
+ }
+
++static unsigned long mmap_rnd(void)
++{
++ unsigned long rnd;
++
++ /* 8 bits of randomness in 20 address space bits */
++ rnd = (unsigned long)get_random_int() % (1 << 8);
++
++ return rnd << PAGE_SHIFT;
++}
++
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
+ unsigned long random_factor = 0UL;
+
+- /* 8 bits of randomness in 20 address space bits */
+- if ((current->flags & PF_RANDOMIZE) &&
+- !(current->personality & ADDR_NO_RANDOMIZE))
+- random_factor = (get_random_int() % (1 << 8)) << PAGE_SHIFT;
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
diff --git a/debian/patches/bugfix/all/pie-aslr/arm64-aslr-don-t-randomise-text-when-randomise_va_sp.patch b/debian/patches/bugfix/all/pie-aslr/arm64-aslr-don-t-randomise-text-when-randomise_va_sp.patch
new file mode 100644
index 0000000..0507cd7
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/arm64-aslr-don-t-randomise-text-when-randomise_va_sp.patch
@@ -0,0 +1,63 @@
+From: Arun Chandran <achandran at mvista.com>
+Date: Fri, 10 Oct 2014 12:31:24 +0100
+Subject: arm64: ASLR: Don't randomise text when randomise_va_space == 0
+Origin: https://git.kernel.org/linus/92980405f3537136b8e81007a9df576762f49bbb
+Bug-Debian: https://bugs.debian.org/797530
+
+When user asks to turn off ASLR by writing "0" to
+/proc/sys/kernel/randomize_va_space there should not be
+any randomization to mmap base, stack, VDSO, libs, text and heap
+
+Currently arm64 violates this behavior by randomising text.
+Fix this by defining a constant ELF_ET_DYN_BASE. The randomisation of
+mm->mmap_base is done by setup_new_exec -> arch_pick_mmap_layout ->
+mmap_base -> mmap_rnd.
+
+Signed-off-by: Arun Chandran <achandran at mvista.com>
+Signed-off-by: Catalin Marinas <catalin.marinas at arm.com>
+---
+ arch/arm64/Kconfig | 1 +
+ arch/arm64/include/asm/elf.h | 4 ++--
+ arch/arm64/kernel/process.c | 5 -----
+ 3 files changed, 3 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1,5 +1,6 @@
+ config ARM64
+ def_bool y
++ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+ select ARCH_HAS_OPP
+ select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -126,7 +126,7 @@ typedef struct user_fpsimd_state elf_fpr
+ * that it will "exec", and that there is sufficient room for the brk.
+ */
+ extern unsigned long randomize_et_dyn(unsigned long base);
+-#define ELF_ET_DYN_BASE (randomize_et_dyn(2 * TASK_SIZE_64 / 3))
++#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
+
+ /*
+ * When the program starts, a1 contains a pointer to a function to be
+@@ -169,7 +169,7 @@ extern unsigned long arch_randomize_brk(
+
+ #ifdef CONFIG_COMPAT
+
+-#define COMPAT_ELF_ET_DYN_BASE (randomize_et_dyn(2 * TASK_SIZE_32 / 3))
++#define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3)
+
+ /* AArch32 registers. */
+ #define COMPAT_ELF_NGREG 18
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -397,8 +397,3 @@ unsigned long arch_randomize_brk(struct
+ {
+ return randomize_base(mm->brk);
+ }
+-
+-unsigned long randomize_et_dyn(unsigned long base)
+-{
+- return randomize_base(base);
+-}
diff --git a/debian/patches/bugfix/all/pie-aslr/arm64-standardize-mmap_rnd-usage.patch b/debian/patches/bugfix/all/pie-aslr/arm64-standardize-mmap_rnd-usage.patch
new file mode 100644
index 0000000..c45e5bf
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/arm64-standardize-mmap_rnd-usage.patch
@@ -0,0 +1,86 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:48 -0700
+Subject: arm64: standardize mmap_rnd() usage
+Origin: https://git.kernel.org/linus/dd04cff1dceab18226853b555cf07914648a235f
+Bug-Debian: https://bugs.debian.org/797530
+
+In preparation for splitting out ET_DYN ASLR, this refactors the use of
+mmap_rnd() to be used similarly to arm and x86. This additionally
+enables mmap ASLR on legacy mmap layouts, which appeared to be missing
+on arm64, and was already supported on arm. Additionally removes a
+copy/pasted declaration of an unused function.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Russell King <linux at arm.linux.org.uk>
+Cc: Catalin Marinas <catalin.marinas at arm.com>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ arch/arm64/include/asm/elf.h | 1 -
+ arch/arm64/mm/mmap.c | 18 +++++++++++-------
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -125,7 +125,6 @@ typedef struct user_fpsimd_state elf_fpr
+ * the loader. We need to make sure that it is out of the way of the program
+ * that it will "exec", and that there is sufficient room for the brk.
+ */
+-extern unsigned long randomize_et_dyn(unsigned long base);
+ #define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
+
+ /*
+--- a/arch/arm64/mm/mmap.c
++++ b/arch/arm64/mm/mmap.c
+@@ -49,15 +49,14 @@ static int mmap_is_legacy(void)
+
+ static unsigned long mmap_rnd(void)
+ {
+- unsigned long rnd = 0;
++ unsigned long rnd;
+
+- if (current->flags & PF_RANDOMIZE)
+- rnd = (long)get_random_int() & STACK_RND_MASK;
++ rnd = (unsigned long)get_random_int() & STACK_RND_MASK;
+
+ return rnd << PAGE_SHIFT;
+ }
+
+-static unsigned long mmap_base(void)
++static unsigned long mmap_base(unsigned long rnd)
+ {
+ unsigned long gap = rlimit(RLIMIT_STACK);
+
+@@ -66,7 +65,7 @@ static unsigned long mmap_base(void)
+ else if (gap > MAX_GAP)
+ gap = MAX_GAP;
+
+- return PAGE_ALIGN(STACK_TOP - gap - mmap_rnd());
++ return PAGE_ALIGN(STACK_TOP - gap - rnd);
+ }
+
+ /*
+@@ -75,15 +74,20 @@ static unsigned long mmap_base(void)
+ */
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
++ unsigned long random_factor = 0UL;
++
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
++
+ /*
+ * Fall back to the standard layout if the personality bit is set, or
+ * if the expected stack growth is unlimited:
+ */
+ if (mmap_is_legacy()) {
+- mm->mmap_base = TASK_UNMAPPED_BASE;
++ mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
+ mm->get_unmapped_area = arch_get_unmapped_area;
+ } else {
+- mm->mmap_base = mmap_base();
++ mm->mmap_base = mmap_base(random_factor);
+ mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+ }
+ }
diff --git a/debian/patches/bugfix/all/pie-aslr/mips-extract-logic-for-mmap_rnd.patch b/debian/patches/bugfix/all/pie-aslr/mips-extract-logic-for-mmap_rnd.patch
new file mode 100644
index 0000000..b1d07f9
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/mips-extract-logic-for-mmap_rnd.patch
@@ -0,0 +1,55 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:51 -0700
+Subject: mips: extract logic for mmap_rnd()
+Origin: https://git.kernel.org/linus/1f0569df0b0285e7ec2432d804a4921b06a61618
+Bug-Debian: https://bugs.debian.org/797530
+
+In preparation for splitting out ET_DYN ASLR, extract the mmap ASLR
+selection into a separate function.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ arch/mips/mm/mmap.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/mm/mmap.c
++++ b/arch/mips/mm/mmap.c
+@@ -142,18 +142,26 @@ unsigned long arch_get_unmapped_area_top
+ addr0, len, pgoff, flags, DOWN);
+ }
+
++static unsigned long mmap_rnd(void)
++{
++ unsigned long rnd;
++
++ rnd = (unsigned long)get_random_int();
++ rnd <<= PAGE_SHIFT;
++ if (TASK_IS_32BIT_ADDR)
++ rnd &= 0xfffffful;
++ else
++ rnd &= 0xffffffful;
++
++ return rnd;
++}
++
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
+ unsigned long random_factor = 0UL;
+
+- if (current->flags & PF_RANDOMIZE) {
+- random_factor = get_random_int();
+- random_factor = random_factor << PAGE_SHIFT;
+- if (TASK_IS_32BIT_ADDR)
+- random_factor &= 0xfffffful;
+- else
+- random_factor &= 0xffffffful;
+- }
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
diff --git a/debian/patches/bugfix/all/pie-aslr/mm-expose-arch_mmap_rnd-when-available.patch b/debian/patches/bugfix/all/pie-aslr/mm-expose-arch_mmap_rnd-when-available.patch
new file mode 100644
index 0000000..4b141bc
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/mm-expose-arch_mmap_rnd-when-available.patch
@@ -0,0 +1,277 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:48:00 -0700
+Subject: mm: expose arch_mmap_rnd when available
+Origin: https://git.kernel.org/linus/2b68f6caeac271620cd2f9362aeaed360e317df0
+Bug-Debian: https://bugs.debian.org/797530
+
+When an architecture fully supports randomizing the ELF load location,
+a per-arch mmap_rnd() function is used to find a randomized mmap base.
+In preparation for randomizing the location of ET_DYN binaries
+separately from mmap, this renames and exports these functions as
+arch_mmap_rnd(). Additionally introduces CONFIG_ARCH_HAS_ELF_RANDOMIZE
+for describing this feature on architectures that support it
+(which is a superset of ARCH_BINFMT_ELF_RANDOMIZE_PIE, since s390
+already supports a separated ET_DYN ASLR from mmap ASLR without the
+ARCH_BINFMT_ELF_RANDOMIZE_PIE logic).
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Hector Marco-Gisbert <hecmargi at upv.es>
+Cc: Russell King <linux at arm.linux.org.uk>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Catalin Marinas <catalin.marinas at arm.com>
+Cc: Will Deacon <will.deacon at arm.com>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Michael Ellerman <mpe at ellerman.id.au>
+Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Alexander Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: "David A. Long" <dave.long at linaro.org>
+Cc: Andrey Ryabinin <a.ryabinin at samsung.com>
+Cc: Arun Chandran <achandran at mvista.com>
+Cc: Yann Droneaud <ydroneaud at opteya.com>
+Cc: Min-Hua Chen <orca.chen at gmail.com>
+Cc: Paul Burton <paul.burton at imgtec.com>
+Cc: Alex Smith <alex at alex-smith.me.uk>
+Cc: Markos Chandras <markos.chandras at imgtec.com>
+Cc: Vineeth Vijayan <vvijayan at mvista.com>
+Cc: Jeff Bailey <jeffbailey at google.com>
+Cc: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: Behan Webster <behanw at converseincode.com>
+Cc: Ismael Ripoll <iripoll at upv.es>
+Cc: Jan-Simon Mller <dl9pf at gmx.de>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+---
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -472,6 +472,13 @@ config HAVE_IRQ_EXIT_ON_IRQ_STACK
+ This spares a stack switch and improves cache usage on softirq
+ processing.
+
++config ARCH_HAS_ELF_RANDOMIZE
++ bool
++ help
++ An architecture supports choosing randomized locations for
++ stack, mmap, brk, and ET_DYN. Defined functions:
++ - arch_mmap_rnd()
++
+ #
+ # ABI hall of shame
+ #
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -3,6 +3,7 @@ config ARM
+ default y
+ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
++ select ARCH_HAS_ELF_RANDOMIZE
+ select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
+ select ARCH_HAVE_CUSTOM_GPIO_H
+ select ARCH_MIGHT_HAVE_PC_PARPORT
+--- a/arch/arm/mm/mmap.c
++++ b/arch/arm/mm/mmap.c
+@@ -169,7 +169,7 @@ arch_get_unmapped_area_topdown(struct fi
+ return addr;
+ }
+
+-static unsigned long mmap_rnd(void)
++unsigned long arch_mmap_rnd(void)
+ {
+ unsigned long rnd;
+
+@@ -184,7 +184,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -2,6 +2,7 @@ config ARM64
+ def_bool y
+ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
++ select ARCH_HAS_ELF_RANDOMIZE
+ select ARCH_HAS_OPP
+ select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
+ select ARCH_USE_CMPXCHG_LOCKREF
+--- a/arch/arm64/mm/mmap.c
++++ b/arch/arm64/mm/mmap.c
+@@ -47,7 +47,7 @@ static int mmap_is_legacy(void)
+ return sysctl_legacy_va_layout;
+ }
+
+-static unsigned long mmap_rnd(void)
++unsigned long arch_mmap_rnd(void)
+ {
+ unsigned long rnd;
+
+@@ -77,7 +77,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ /*
+ * Fall back to the standard layout if the personality bit is set, or
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -25,6 +25,7 @@ config MIPS
+ select HAVE_DEBUG_KMEMLEAK
+ select HAVE_SYSCALL_TRACEPOINTS
+ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
++ select ARCH_HAS_ELF_RANDOMIZE
+ select HAVE_ARCH_TRANSPARENT_HUGEPAGE if CPU_SUPPORTS_HUGEPAGES && 64BIT
+ select RTC_LIB if !MACH_LOONGSON
+ select GENERIC_ATOMIC64 if !64BIT
+--- a/arch/mips/mm/mmap.c
++++ b/arch/mips/mm/mmap.c
+@@ -142,7 +142,7 @@ unsigned long arch_get_unmapped_area_top
+ addr0, len, pgoff, flags, DOWN);
+ }
+
+-static unsigned long mmap_rnd(void)
++unsigned long arch_mmap_rnd(void)
+ {
+ unsigned long rnd;
+
+@@ -161,7 +161,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -89,6 +89,7 @@ config PPC
+ select ARCH_MIGHT_HAVE_PC_SERIO
+ select BINFMT_ELF
+ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
++ select ARCH_HAS_ELF_RANDOMIZE
+ select OF
+ select OF_EARLY_FLATTREE
+ select OF_RESERVED_MEM
+--- a/arch/powerpc/mm/mmap.c
++++ b/arch/powerpc/mm/mmap.c
+@@ -53,7 +53,7 @@ static inline int mmap_is_legacy(void)
+ return sysctl_legacy_va_layout;
+ }
+
+-static unsigned long mmap_rnd(void)
++unsigned long arch_mmap_rnd(void)
+ {
+ unsigned long rnd;
+
+@@ -87,7 +87,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ /*
+ * Fall back to the standard layout if the personality
+--- a/arch/s390/Kconfig
++++ b/arch/s390/Kconfig
+@@ -62,6 +62,7 @@ config S390
+ def_bool y
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+ select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
++ select ARCH_HAS_ELF_RANDOMIZE
+ select ARCH_HAVE_NMI_SAFE_CMPXCHG
+ select ARCH_INLINE_READ_LOCK
+ select ARCH_INLINE_READ_LOCK_BH
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -56,7 +56,7 @@ static inline int mmap_is_legacy(void)
+ return sysctl_legacy_va_layout;
+ }
+
+-static unsigned long mmap_rnd(void)
++unsigned long arch_mmap_rnd(void)
+ {
+ /* 8MB randomization for mmap_base */
+ return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
+@@ -86,7 +86,7 @@ unsigned long randomize_et_dyn(void)
+ base = STACK_TOP / 3 * 2;
+
+ if (current->flags & PF_RANDOMIZE)
+- base += mmap_rnd();
++ base += arch_mmap_rnd();
+
+ return base;
+ }
+@@ -102,7 +102,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ /*
+ * Fall back to the standard layout if the personality
+@@ -182,7 +182,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ /*
+ * Fall back to the standard layout if the personality
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -85,6 +85,7 @@ config X86
+ select HAVE_ARCH_KMEMCHECK
+ select HAVE_USER_RETURN_NOTIFIER
+ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
++ select ARCH_HAS_ELF_RANDOMIZE
+ select HAVE_ARCH_JUMP_LABEL
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+ select SPARSE_IRQ
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -65,7 +65,7 @@ static int mmap_is_legacy(void)
+ return sysctl_legacy_va_layout;
+ }
+
+-static unsigned long mmap_rnd(void)
++unsigned long arch_mmap_rnd(void)
+ {
+ unsigned long rnd;
+
+@@ -102,7 +102,7 @@ void arch_pick_mmap_layout(struct mm_str
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+- random_factor = mmap_rnd();
++ random_factor = arch_mmap_rnd();
+
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
+
+--- /dev/null
++++ b/include/linux/elf-randomize.h
+@@ -0,0 +1,10 @@
++#ifndef _ELF_RANDOMIZE_H
++#define _ELF_RANDOMIZE_H
++
++#ifndef CONFIG_ARCH_HAS_ELF_RANDOMIZE
++static inline unsigned long arch_mmap_rnd(void) { return 0; }
++#else
++extern unsigned long arch_mmap_rnd(void);
++#endif
++
++#endif
diff --git a/debian/patches/bugfix/all/pie-aslr/mm-fold-arch_randomize_brk-into-arch_has_elf_randomi.patch b/debian/patches/bugfix/all/pie-aslr/mm-fold-arch_randomize_brk-into-arch_has_elf_randomi.patch
new file mode 100644
index 0000000..f0b161c
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/mm-fold-arch_randomize_brk-into-arch_has_elf_randomi.patch
@@ -0,0 +1,184 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:48:12 -0700
+Subject: mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE
+Origin: https://git.kernel.org/linus/204db6ed17743000691d930368a5abd6ea541c58
+Bug-Debian: https://bugs.debian.org/797530
+
+The arch_randomize_brk() function is used on several architectures,
+even those that don't support ET_DYN ASLR. To avoid bulky extern/#define
+tricks, consolidate the support under CONFIG_ARCH_HAS_ELF_RANDOMIZE for
+the architectures that support it, while still handling CONFIG_COMPAT_BRK.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Hector Marco-Gisbert <hecmargi at upv.es>
+Cc: Russell King <linux at arm.linux.org.uk>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Catalin Marinas <catalin.marinas at arm.com>
+Cc: Will Deacon <will.deacon at arm.com>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Michael Ellerman <mpe at ellerman.id.au>
+Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Alexander Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: "David A. Long" <dave.long at linaro.org>
+Cc: Andrey Ryabinin <a.ryabinin at samsung.com>
+Cc: Arun Chandran <achandran at mvista.com>
+Cc: Yann Droneaud <ydroneaud at opteya.com>
+Cc: Min-Hua Chen <orca.chen at gmail.com>
+Cc: Paul Burton <paul.burton at imgtec.com>
+Cc: Alex Smith <alex at alex-smith.me.uk>
+Cc: Markos Chandras <markos.chandras at imgtec.com>
+Cc: Vineeth Vijayan <vvijayan at mvista.com>
+Cc: Jeff Bailey <jeffbailey at google.com>
+Cc: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: Behan Webster <behanw at converseincode.com>
+Cc: Ismael Ripoll <iripoll at upv.es>
+Cc: Jan-Simon Mller <dl9pf at gmx.de>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+---
+ arch/Kconfig | 1 +
+ arch/arm/include/asm/elf.h | 4 ----
+ arch/arm64/include/asm/elf.h | 4 ----
+ arch/mips/include/asm/elf.h | 4 ----
+ arch/powerpc/include/asm/elf.h | 4 ----
+ arch/s390/include/asm/elf.h | 3 ---
+ arch/x86/include/asm/elf.h | 3 ---
+ fs/binfmt_elf.c | 4 +---
+ include/linux/elf-randomize.h | 12 ++++++++++++
+ 9 files changed, 14 insertions(+), 25 deletions(-)
+
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -478,6 +478,7 @@ config ARCH_HAS_ELF_RANDOMIZE
+ An architecture supports choosing randomized locations for
+ stack, mmap, brk, and ET_DYN. Defined functions:
+ - arch_mmap_rnd()
++ - arch_randomize_brk()
+
+ #
+ # ABI hall of shame
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -124,10 +124,6 @@ int dump_task_regs(struct task_struct *t
+ extern void elf_set_personality(const struct elf32_hdr *);
+ #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
+
+-struct mm_struct;
+-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
+-#define arch_randomize_brk arch_randomize_brk
+-
+ #ifdef CONFIG_MMU
+ #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
+ struct linux_binprm;
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -156,10 +156,6 @@ extern int arch_setup_additional_pages(s
+ #define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12))
+ #endif
+
+-struct mm_struct;
+-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
+-#define arch_randomize_brk arch_randomize_brk
+-
+ #ifdef __AARCH64EB__
+ #define COMPAT_ELF_PLATFORM ("v8b")
+ #else
+--- a/arch/mips/include/asm/elf.h
++++ b/arch/mips/include/asm/elf.h
+@@ -403,8 +403,4 @@ struct linux_binprm;
+ extern int arch_setup_additional_pages(struct linux_binprm *bprm,
+ int uses_interp);
+
+-struct mm_struct;
+-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
+-#define arch_randomize_brk arch_randomize_brk
+-
+ #endif /* _ASM_ELF_H */
+--- a/arch/powerpc/include/asm/elf.h
++++ b/arch/powerpc/include/asm/elf.h
+@@ -128,10 +128,6 @@ extern int arch_setup_additional_pages(s
+ (0x7ff >> (PAGE_SHIFT - 12)) : \
+ (0x3ffff >> (PAGE_SHIFT - 12)))
+
+-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
+-#define arch_randomize_brk arch_randomize_brk
+-
+-
+ #ifdef CONFIG_SPU_BASE
+ /* Notes used in ET_CORE. Note name is "SPU/<fd>/<filename>". */
+ #define NT_SPU 1
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -221,9 +221,6 @@ struct linux_binprm;
+ #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
+ int arch_setup_additional_pages(struct linux_binprm *, int);
+
+-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
+-#define arch_randomize_brk arch_randomize_brk
+-
+ void *fill_cpu_elf_notes(void *ptr, struct save_area *sa);
+
+ #endif
+--- a/arch/x86/include/asm/elf.h
++++ b/arch/x86/include/asm/elf.h
+@@ -344,9 +344,6 @@ extern int compat_arch_setup_additional_
+ int uses_interp);
+ #define compat_arch_setup_additional_pages compat_arch_setup_additional_pages
+
+-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
+-#define arch_randomize_brk arch_randomize_brk
+-
+ /*
+ * True on X86_32 or when emulating IA32 on X86_64
+ */
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -952,15 +952,13 @@ static int load_elf_binary(struct linux_
+ current->mm->end_data = end_data;
+ current->mm->start_stack = bprm->p;
+
+-#ifdef arch_randomize_brk
+ if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
+ current->mm->brk = current->mm->start_brk =
+ arch_randomize_brk(current->mm);
+-#ifdef CONFIG_COMPAT_BRK
++#ifdef compat_brk_randomized
+ current->brk_randomized = 1;
+ #endif
+ }
+-#endif
+
+ if (current->personality & MMAP_PAGE_ZERO) {
+ /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
+--- a/include/linux/elf-randomize.h
++++ b/include/linux/elf-randomize.h
+@@ -1,10 +1,22 @@
+ #ifndef _ELF_RANDOMIZE_H
+ #define _ELF_RANDOMIZE_H
+
++struct mm_struct;
++
+ #ifndef CONFIG_ARCH_HAS_ELF_RANDOMIZE
+ static inline unsigned long arch_mmap_rnd(void) { return 0; }
++# if defined(arch_randomize_brk) && defined(CONFIG_COMPAT_BRK)
++# define compat_brk_randomized
++# endif
++# ifndef arch_randomize_brk
++# define arch_randomize_brk(mm) (mm->brk)
++# endif
+ #else
+ extern unsigned long arch_mmap_rnd(void);
++extern unsigned long arch_randomize_brk(struct mm_struct *mm);
++# ifdef CONFIG_COMPAT_BRK
++# define compat_brk_randomized
++# endif
+ #endif
+
+ #endif
diff --git a/debian/patches/bugfix/all/pie-aslr/mm-split-et_dyn-aslr-from-mmap-aslr.patch b/debian/patches/bugfix/all/pie-aslr/mm-split-et_dyn-aslr-from-mmap-aslr.patch
new file mode 100644
index 0000000..49082a8
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/mm-split-et_dyn-aslr-from-mmap-aslr.patch
@@ -0,0 +1,214 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:48:07 -0700
+Subject: mm: split ET_DYN ASLR from mmap ASLR
+Origin: https://git.kernel.org/linus/d1fd836dcf00d2028c700c7e44d2c23404062c90
+Bug-Debian: https://bugs.debian.org/797530
+
+This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
+powerpc, and x86. The problem is that if there is a leak of ASLR from
+the executable (ET_DYN), it means a leak of shared library offset as
+well (mmap), and vice versa. Further details and a PoC of this attack
+is available here:
+
+ http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
+
+With this patch, a PIE linked executable (ET_DYN) has its own ASLR
+region:
+
+ $ ./show_mmaps_pie
+ 54859ccd6000-54859ccd7000 r-xp ... /tmp/show_mmaps_pie
+ 54859ced6000-54859ced7000 r--p ... /tmp/show_mmaps_pie
+ 54859ced7000-54859ced8000 rw-p ... /tmp/show_mmaps_pie
+ 7f75be764000-7f75be91f000 r-xp ... /lib/x86_64-linux-gnu/libc.so.6
+ 7f75be91f000-7f75beb1f000 ---p ... /lib/x86_64-linux-gnu/libc.so.6
+ 7f75beb1f000-7f75beb23000 r--p ... /lib/x86_64-linux-gnu/libc.so.6
+ 7f75beb23000-7f75beb25000 rw-p ... /lib/x86_64-linux-gnu/libc.so.6
+ 7f75beb25000-7f75beb2a000 rw-p ...
+ 7f75beb2a000-7f75beb4d000 r-xp ... /lib64/ld-linux-x86-64.so.2
+ 7f75bed45000-7f75bed46000 rw-p ...
+ 7f75bed46000-7f75bed47000 r-xp ...
+ 7f75bed47000-7f75bed4c000 rw-p ...
+ 7f75bed4c000-7f75bed4d000 r--p ... /lib64/ld-linux-x86-64.so.2
+ 7f75bed4d000-7f75bed4e000 rw-p ... /lib64/ld-linux-x86-64.so.2
+ 7f75bed4e000-7f75bed4f000 rw-p ...
+ 7fffb3741000-7fffb3762000 rw-p ... [stack]
+ 7fffb377b000-7fffb377d000 r--p ... [vvar]
+ 7fffb377d000-7fffb377f000 r-xp ... [vdso]
+
+The change is to add a call the newly created arch_mmap_rnd() into the
+ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR,
+as was already done on s390. Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE,
+which is no longer needed.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Hector Marco-Gisbert <hecmargi at upv.es>
+Cc: Russell King <linux at arm.linux.org.uk>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Catalin Marinas <catalin.marinas at arm.com>
+Cc: Will Deacon <will.deacon at arm.com>
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Michael Ellerman <mpe at ellerman.id.au>
+Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Alexander Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: "David A. Long" <dave.long at linaro.org>
+Cc: Andrey Ryabinin <a.ryabinin at samsung.com>
+Cc: Arun Chandran <achandran at mvista.com>
+Cc: Yann Droneaud <ydroneaud at opteya.com>
+Cc: Min-Hua Chen <orca.chen at gmail.com>
+Cc: Paul Burton <paul.burton at imgtec.com>
+Cc: Alex Smith <alex at alex-smith.me.uk>
+Cc: Markos Chandras <markos.chandras at imgtec.com>
+Cc: Vineeth Vijayan <vvijayan at mvista.com>
+Cc: Jeff Bailey <jeffbailey at google.com>
+Cc: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: Behan Webster <behanw at converseincode.com>
+Cc: Ismael Ripoll <iripoll at upv.es>
+Cc: Jan-Simon Mller <dl9pf at gmx.de>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.16:
+ - We don't do 4 GiB alignent on 64-bit s390
+ - Adjust context]
+---
+ arch/arm/Kconfig | 1 -
+ arch/arm64/Kconfig | 1 -
+ arch/mips/Kconfig | 1 -
+ arch/powerpc/Kconfig | 1 -
+ arch/s390/include/asm/elf.h | 5 ++---
+ arch/s390/mm/mmap.c | 8 --------
+ arch/x86/Kconfig | 1 -
+ fs/Kconfig.binfmt | 3 ---
+ fs/binfmt_elf.c | 18 ++++--------------
+ 9 files changed, 6 insertions(+), 33 deletions(-)
+
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1,7 +1,6 @@
+ config ARM
+ bool
+ default y
+- select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+ select ARCH_HAS_ELF_RANDOMIZE
+ select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1,6 +1,5 @@
+ config ARM64
+ def_bool y
+- select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+ select ARCH_HAS_ELF_RANDOMIZE
+ select ARCH_HAS_OPP
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -24,7 +24,6 @@ config MIPS
+ select HAVE_KRETPROBES
+ select HAVE_DEBUG_KMEMLEAK
+ select HAVE_SYSCALL_TRACEPOINTS
+- select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ELF_RANDOMIZE
+ select HAVE_ARCH_TRANSPARENT_HUGEPAGE if CPU_SUPPORTS_HUGEPAGES && 64BIT
+ select RTC_LIB if !MACH_LOONGSON
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -88,7 +88,6 @@ config PPC
+ select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_MIGHT_HAVE_PC_SERIO
+ select BINFMT_ELF
+- select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ELF_RANDOMIZE
+ select OF
+ select OF_EARLY_FLATTREE
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -162,8 +162,7 @@ extern unsigned int vdso_enabled;
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-extern unsigned long randomize_et_dyn(void);
+-#define ELF_ET_DYN_BASE (randomize_et_dyn() + (STACK_TOP / 3 * 2))
++#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. */
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -79,14 +79,6 @@ static inline unsigned long mmap_base(un
+ return STACK_TOP - stack_maxrandom_size() - rnd - gap;
+ }
+
+-unsigned long randomize_et_dyn(void)
+-{
+- if (current->flags & PF_RANDOMIZE)
+- return arch_mmap_rnd();
+-
+- return 0UL;
+-}
+-
+ #ifndef CONFIG_64BIT
+
+ /*
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -84,7 +84,6 @@ config X86
+ select HAVE_CMPXCHG_DOUBLE
+ select HAVE_ARCH_KMEMCHECK
+ select HAVE_USER_RETURN_NOTIFIER
+- select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select ARCH_HAS_ELF_RANDOMIZE
+ select HAVE_ARCH_JUMP_LABEL
+ select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+--- a/fs/Kconfig.binfmt
++++ b/fs/Kconfig.binfmt
+@@ -27,9 +27,6 @@ config COMPAT_BINFMT_ELF
+ bool
+ depends on COMPAT && BINFMT_ELF
+
+-config ARCH_BINFMT_ELF_RANDOMIZE_PIE
+- bool
+-
+ config BINFMT_ELF_FDPIC
+ bool "Kernel support for FDPIC ELF binaries"
+ default y
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -31,6 +31,7 @@
+ #include <linux/security.h>
+ #include <linux/random.h>
+ #include <linux/elf.h>
++#include <linux/elf-randomize.h>
+ #include <linux/utsname.h>
+ #include <linux/coredump.h>
+ #include <linux/sched.h>
+@@ -802,21 +803,10 @@ static int load_elf_binary(struct linux_
+ * default mmap base, as well as whatever program they
+ * might try to exec. This is because the brk will
+ * follow the loader, and is not movable. */
+-#ifdef CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE
+- /* Memory randomization might have been switched off
+- * in runtime via sysctl or explicit setting of
+- * personality flags.
+- * If that is the case, retain the original non-zero
+- * load_bias value in order to establish proper
+- * non-randomized mappings.
+- */
++ load_bias = ELF_ET_DYN_BASE - vaddr;
+ if (current->flags & PF_RANDOMIZE)
+- load_bias = 0;
+- else
+- load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+-#else
+- load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+-#endif
++ load_bias += arch_mmap_rnd();
++ load_bias = ELF_PAGESTART(load_bias);
+ total_size = total_mapping_size(elf_phdata,
+ loc->elf_ex.e_phnum);
+ if (!total_size) {
diff --git a/debian/patches/bugfix/all/pie-aslr/powerpc-standardize-mmap_rnd-usage.patch b/debian/patches/bugfix/all/pie-aslr/powerpc-standardize-mmap_rnd-usage.patch
new file mode 100644
index 0000000..bb2867c
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/powerpc-standardize-mmap_rnd-usage.patch
@@ -0,0 +1,83 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:54 -0700
+Subject: powerpc: standardize mmap_rnd() usage
+Origin: https://git.kernel.org/linus/ed6322746afb74c2509e2f3a6464182793b16eb9
+Bug-Debian: https://bugs.debian.org/797530
+
+In preparation for splitting out ET_DYN ASLR, this refactors the use of
+mmap_rnd() to be used similarly to arm and x86.
+
+(Can mmap ASLR be safely enabled in the legacy mmap case here? Other
+archs use "mm->mmap_base = TASK_UNMAPPED_BASE + random_factor".)
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Michael Ellerman <mpe at ellerman.id.au>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ arch/powerpc/mm/mmap.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/arch/powerpc/mm/mmap.c
++++ b/arch/powerpc/mm/mmap.c
+@@ -55,19 +55,18 @@ static inline int mmap_is_legacy(void)
+
+ static unsigned long mmap_rnd(void)
+ {
+- unsigned long rnd = 0;
++ unsigned long rnd;
++
++ /* 8MB for 32bit, 1GB for 64bit */
++ if (is_32bit_task())
++ rnd = (unsigned long)get_random_int() % (1<<(23-PAGE_SHIFT));
++ else
++ rnd = (unsigned long)get_random_int() % (1<<(30-PAGE_SHIFT));
+
+- if (current->flags & PF_RANDOMIZE) {
+- /* 8MB for 32bit, 1GB for 64bit */
+- if (is_32bit_task())
+- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
+- else
+- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
+- }
+ return rnd << PAGE_SHIFT;
+ }
+
+-static inline unsigned long mmap_base(void)
++static inline unsigned long mmap_base(unsigned long rnd)
+ {
+ unsigned long gap = rlimit(RLIMIT_STACK);
+
+@@ -76,7 +75,7 @@ static inline unsigned long mmap_base(vo
+ else if (gap > MAX_GAP)
+ gap = MAX_GAP;
+
+- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
++ return PAGE_ALIGN(TASK_SIZE - gap - rnd);
+ }
+
+ /*
+@@ -85,6 +84,11 @@ static inline unsigned long mmap_base(vo
+ */
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
++ unsigned long random_factor = 0UL;
++
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
++
+ /*
+ * Fall back to the standard layout if the personality
+ * bit is set, or if the expected stack growth is unlimited:
+@@ -93,7 +97,7 @@ void arch_pick_mmap_layout(struct mm_str
+ mm->mmap_base = TASK_UNMAPPED_BASE;
+ mm->get_unmapped_area = arch_get_unmapped_area;
+ } else {
+- mm->mmap_base = mmap_base();
++ mm->mmap_base = mmap_base(random_factor);
+ mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+ }
+ }
diff --git a/debian/patches/bugfix/all/pie-aslr/powerpc-use-generic-pie-randomization.patch b/debian/patches/bugfix/all/pie-aslr/powerpc-use-generic-pie-randomization.patch
new file mode 100644
index 0000000..7b7c5ab
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/powerpc-use-generic-pie-randomization.patch
@@ -0,0 +1,101 @@
+From: Vineeth Vijayan <vvijayan at mvista.com>
+Date: Fri, 14 Nov 2014 14:42:05 +0530
+Subject: powerpc: Use generic PIE randomization
+Origin: https://git.kernel.org/linus/59994fb01a102a448ba758c9b824a29b4a99cc1b
+Bug-Debian: https://bugs.debian.org/797530
+
+Back in 2009 we merged 501cb16d3cfd "Randomise PIEs", which added support for
+randomizing PIE (Position Independent Executable) binaries.
+
+That commit added randomize_et_dyn(), which correctly randomized the addresses,
+but failed to honor PF_RANDOMIZE. That means it was not possible to disable PIE
+randomization via the personality flag, or /proc/sys/kernel/randomize_va_space.
+
+Since then there has been generic support for PIE randomization added to
+binfmt_elf.c, selectable via ARCH_BINFMT_ELF_RANDOMIZE_PIE.
+
+Enabling that allows us to drop randomize_et_dyn(), which means we start
+honoring PF_RANDOMIZE correctly.
+
+It also causes a fairly major change to how we layout PIE binaries.
+
+Currently we will place the binary at 512MB-520MB for 32 bit binaries, or
+512MB-1.5GB for 64 bit binaries, eg:
+
+ $ cat /proc/$$/maps
+ 4e550000-4e580000 r-xp 00000000 08:02 129813 /bin/dash
+ 4e580000-4e590000 rw-p 00020000 08:02 129813 /bin/dash
+ 10014110000-10014140000 rw-p 00000000 00:00 0 [heap]
+ 3fffaa3f0000-3fffaa5a0000 r-xp 00000000 08:02 921 /lib/powerpc64le-linux-gnu/libc-2.19.so
+ 3fffaa5a0000-3fffaa5b0000 rw-p 001a0000 08:02 921 /lib/powerpc64le-linux-gnu/libc-2.19.so
+ 3fffaa5c0000-3fffaa5d0000 rw-p 00000000 00:00 0
+ 3fffaa5d0000-3fffaa5f0000 r-xp 00000000 00:00 0 [vdso]
+ 3fffaa5f0000-3fffaa620000 r-xp 00000000 08:02 1246 /lib/powerpc64le-linux-gnu/ld-2.19.so
+ 3fffaa620000-3fffaa630000 rw-p 00020000 08:02 1246 /lib/powerpc64le-linux-gnu/ld-2.19.so
+ 3ffffc340000-3ffffc370000 rw-p 00000000 00:00 0 [stack]
+
+With this commit applied we don't do any special randomisation for the binary,
+and instead rely on mmap randomisation. This means the binary ends up at high
+addresses, eg:
+
+ $ cat /proc/$$/maps
+ 3fff99820000-3fff999d0000 r-xp 00000000 08:02 921 /lib/powerpc64le-linux-gnu/libc-2.19.so
+ 3fff999d0000-3fff999e0000 rw-p 001a0000 08:02 921 /lib/powerpc64le-linux-gnu/libc-2.19.so
+ 3fff999f0000-3fff99a00000 rw-p 00000000 00:00 0
+ 3fff99a00000-3fff99a20000 r-xp 00000000 00:00 0 [vdso]
+ 3fff99a20000-3fff99a50000 r-xp 00000000 08:02 1246 /lib/powerpc64le-linux-gnu/ld-2.19.so
+ 3fff99a50000-3fff99a60000 rw-p 00020000 08:02 1246 /lib/powerpc64le-linux-gnu/ld-2.19.so
+ 3fff99a60000-3fff99a90000 r-xp 00000000 08:02 129813 /bin/dash
+ 3fff99a90000-3fff99aa0000 rw-p 00020000 08:02 129813 /bin/dash
+ 3fffc3de0000-3fffc3e10000 rw-p 00000000 00:00 0 [stack]
+ 3fffc55e0000-3fffc5610000 rw-p 00000000 00:00 0 [heap]
+
+Although this should be OK, it's possible it might break badly written
+binaries that make assumptions about the address space layout.
+
+Signed-off-by: Vineeth Vijayan <vvijayan at mvista.com>
+[mpe: Rewrite changelog]
+Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
+---
+ arch/powerpc/Kconfig | 1 +
+ arch/powerpc/include/asm/elf.h | 3 +--
+ arch/powerpc/kernel/process.c | 9 ---------
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -88,6 +88,7 @@ config PPC
+ select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_MIGHT_HAVE_PC_SERIO
+ select BINFMT_ELF
++ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
+ select OF
+ select OF_EARLY_FLATTREE
+ select OF_RESERVED_MEM
+--- a/arch/powerpc/include/asm/elf.h
++++ b/arch/powerpc/include/asm/elf.h
+@@ -28,8 +28,7 @@
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-extern unsigned long randomize_et_dyn(unsigned long base);
+-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
++#define ELF_ET_DYN_BASE 0x20000000
+
+ #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1689,12 +1689,3 @@ unsigned long arch_randomize_brk(struct
+ return ret;
+ }
+
+-unsigned long randomize_et_dyn(unsigned long base)
+-{
+- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
+-
+- if (ret < base)
+- return base;
+-
+- return ret;
+-}
diff --git a/debian/patches/bugfix/all/pie-aslr/s390-change-randomize_et_dyn-to-take-void-and-use-mmap_rnd.patch b/debian/patches/bugfix/all/pie-aslr/s390-change-randomize_et_dyn-to-take-void-and-use-mmap_rnd.patch
new file mode 100644
index 0000000..b00742b
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/s390-change-randomize_et_dyn-to-take-void-and-use-mmap_rnd.patch
@@ -0,0 +1,57 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Tue, 18 Apr 2017 04:34:20 +0100
+Subject: s390: Change randomize_et_dyn() to take void and use mmap_rnd()
+Bug-Debian: https://bugs.debian.org/797530
+Forwarded: not-needed
+
+Extracted from commit 1f6b83e5e4d3aed46eac1d219322fba9c7341cd8 "s390:
+avoid z13 cache aliasing". This is a pre-requisite for the following
+patches that eliminate randomize_et_dyn() altogether.
+
+---
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -162,8 +162,8 @@ extern unsigned int vdso_enabled;
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-extern unsigned long randomize_et_dyn(unsigned long base);
+-#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
++extern unsigned long randomize_et_dyn(void);
++#define ELF_ET_DYN_BASE randomize_et_dyn()
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. */
+--- a/arch/s390/kernel/process.c
++++ b/arch/s390/kernel/process.c
+@@ -266,13 +266,3 @@ unsigned long arch_randomize_brk(struct
+ ret = PAGE_ALIGN(mm->brk + brk_rnd());
+ return (ret > mm->brk) ? ret : mm->brk;
+ }
+-
+-unsigned long randomize_et_dyn(unsigned long base)
+-{
+- unsigned long ret;
+-
+- if (!(current->flags & PF_RANDOMIZE))
+- return base;
+- ret = PAGE_ALIGN(base + brk_rnd());
+- return (ret > base) ? ret : base;
+-}
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -81,6 +81,14 @@ static inline unsigned long mmap_base(vo
+ return STACK_TOP - stack_maxrandom_size() - mmap_rnd() - gap;
+ }
+
++unsigned long randomize_et_dyn(void)
++{
++ unsigned long base;
++
++ base = STACK_TOP / 3 * 2;
++ return base + mmap_rnd();
++}
++
+ #ifndef CONFIG_64BIT
+
+ /*
diff --git a/debian/patches/bugfix/all/pie-aslr/s390-redefine-randomize_et_dyn-for-elf_et_dyn_base.patch b/debian/patches/bugfix/all/pie-aslr/s390-redefine-randomize_et_dyn-for-elf_et_dyn_base.patch
new file mode 100644
index 0000000..9c08e85
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/s390-redefine-randomize_et_dyn-for-elf_et_dyn_base.patch
@@ -0,0 +1,49 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:48:04 -0700
+Subject: s390: redefine randomize_et_dyn for ELF_ET_DYN_BASE
+Origin: https://git.kernel.org/linus/c6f5b001e65cdac592b65a08c5d2dd179cfba568
+Bug-Debian: https://bugs.debian.org/797530
+
+In preparation for moving ET_DYN randomization into the ELF loader (which
+requires a static ELF_ET_DYN_BASE), this redefines s390's existing ET_DYN
+randomization in a call to arch_mmap_rnd(). This refactoring results in
+the same ET_DYN randomization on s390.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Acked-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.16: we don't do 4 GiB alignent on 64-bit]
+---
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -163,7 +163,7 @@ extern unsigned int vdso_enabled;
+ that it will "exec", and that there is sufficient room for the brk. */
+
+ extern unsigned long randomize_et_dyn(void);
+-#define ELF_ET_DYN_BASE randomize_et_dyn()
++#define ELF_ET_DYN_BASE (randomize_et_dyn() + (STACK_TOP / 3 * 2))
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. */
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -81,14 +81,10 @@ static inline unsigned long mmap_base(un
+
+ unsigned long randomize_et_dyn(void)
+ {
+- unsigned long base;
+-
+- base = STACK_TOP / 3 * 2;
+-
+ if (current->flags & PF_RANDOMIZE)
+- base += arch_mmap_rnd();
++ return arch_mmap_rnd();
+
+- return base;
++ return 0UL;
+ }
+
+ #ifndef CONFIG_64BIT
diff --git a/debian/patches/bugfix/all/pie-aslr/s390-standardize-mmap_rnd-usage.patch b/debian/patches/bugfix/all/pie-aslr/s390-standardize-mmap_rnd-usage.patch
new file mode 100644
index 0000000..ca91bc4
--- /dev/null
+++ b/debian/patches/bugfix/all/pie-aslr/s390-standardize-mmap_rnd-usage.patch
@@ -0,0 +1,113 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Tue, 14 Apr 2015 15:47:57 -0700
+Subject: s390: standardize mmap_rnd() usage
+Origin: https://git.kernel.org/linus/8e89a356feb6f196824a72101861d931a97ac2d2
+Bug-Debian: https://bugs.debian.org/797530
+
+In preparation for splitting out ET_DYN ASLR, this refactors the use of
+mmap_rnd() to be used similarly to arm and x86, and extracts the
+checking of PF_RANDOMIZE.
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Acked-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Reviewed-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+---
+ arch/s390/mm/mmap.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+--- a/arch/s390/mm/mmap.c
++++ b/arch/s390/mm/mmap.c
+@@ -58,18 +58,16 @@ static inline int mmap_is_legacy(void)
+
+ static unsigned long mmap_rnd(void)
+ {
+- if (!(current->flags & PF_RANDOMIZE))
+- return 0;
+ /* 8MB randomization for mmap_base */
+ return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
+ }
+
+-static unsigned long mmap_base_legacy(void)
++static unsigned long mmap_base_legacy(unsigned long rnd)
+ {
+- return TASK_UNMAPPED_BASE + mmap_rnd();
++ return TASK_UNMAPPED_BASE + rnd;
+ }
+
+-static inline unsigned long mmap_base(void)
++static inline unsigned long mmap_base(unsigned long rnd)
+ {
+ unsigned long gap = rlimit(RLIMIT_STACK);
+
+@@ -78,7 +76,7 @@ static inline unsigned long mmap_base(vo
+ else if (gap > MAX_GAP)
+ gap = MAX_GAP;
+ gap &= PAGE_MASK;
+- return STACK_TOP - stack_maxrandom_size() - mmap_rnd() - gap;
++ return STACK_TOP - stack_maxrandom_size() - rnd - gap;
+ }
+
+ unsigned long randomize_et_dyn(void)
+@@ -86,7 +84,11 @@ unsigned long randomize_et_dyn(void)
+ unsigned long base;
+
+ base = STACK_TOP / 3 * 2;
+- return base + mmap_rnd();
++
++ if (current->flags & PF_RANDOMIZE)
++ base += mmap_rnd();
++
++ return base;
+ }
+
+ #ifndef CONFIG_64BIT
+@@ -97,15 +99,20 @@ unsigned long randomize_et_dyn(void)
+ */
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
++ unsigned long random_factor = 0UL;
++
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
++
+ /*
+ * Fall back to the standard layout if the personality
+ * bit is set, or if the expected stack growth is unlimited:
+ */
+ if (mmap_is_legacy()) {
+- mm->mmap_base = mmap_base_legacy();
++ mm->mmap_base = mmap_base_legacy(random_factor);
+ mm->get_unmapped_area = arch_get_unmapped_area;
+ } else {
+- mm->mmap_base = mmap_base();
++ mm->mmap_base = mmap_base(random_factor);
+ mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+ }
+ }
+@@ -172,15 +179,20 @@ s390_get_unmapped_area_topdown(struct fi
+ */
+ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
++ unsigned long random_factor = 0UL;
++
++ if (current->flags & PF_RANDOMIZE)
++ random_factor = mmap_rnd();
++
+ /*
+ * Fall back to the standard layout if the personality
+ * bit is set, or if the expected stack growth is unlimited:
+ */
+ if (mmap_is_legacy()) {
+- mm->mmap_base = mmap_base_legacy();
++ mm->mmap_base = mmap_base_legacy(random_factor);
+ mm->get_unmapped_area = s390_get_unmapped_area;
+ } else {
+- mm->mmap_base = mmap_base();
++ mm->mmap_base = mmap_base(random_factor);
+ mm->get_unmapped_area = s390_get_unmapped_area_topdown;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 16dfaa0..8869f31 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -658,6 +658,20 @@ features/all/chaoskey/hwrng-chaoskey-Add-support-for-Araneus-Alea-I-USB-RN.patch
features/all/chaoskey/hwrng-chaoskey-Fix-URB-warning-due-to-timeout-on-Ale.patch
features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
+# Make PIE address randomisation independent of mmap
+bugfix/all/pie-aslr/arm-factor-out-mmap-aslr-into-mmap_rnd.patch
+bugfix/all/pie-aslr/arm64-aslr-don-t-randomise-text-when-randomise_va_sp.patch
+bugfix/all/pie-aslr/arm64-standardize-mmap_rnd-usage.patch
+bugfix/all/pie-aslr/mips-extract-logic-for-mmap_rnd.patch
+bugfix/all/pie-aslr/powerpc-use-generic-pie-randomization.patch
+bugfix/all/pie-aslr/powerpc-standardize-mmap_rnd-usage.patch
+bugfix/all/pie-aslr/s390-change-randomize_et_dyn-to-take-void-and-use-mmap_rnd.patch
+bugfix/all/pie-aslr/s390-standardize-mmap_rnd-usage.patch
+bugfix/all/pie-aslr/mm-expose-arch_mmap_rnd-when-available.patch
+bugfix/all/pie-aslr/s390-redefine-randomize_et_dyn-for-elf_et_dyn_base.patch
+bugfix/all/pie-aslr/mm-split-et_dyn-aslr-from-mmap-aslr.patch
+bugfix/all/pie-aslr/mm-fold-arch_randomize_brk-into-arch_has_elf_randomi.patch
+
# Security fixes
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list