• Kees Cook's avatar
    mm: split ET_DYN ASLR from mmap ASLR · d1fd836d
    Kees Cook authored
    This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
    powerpc, and x86.  The problem is that if there is a leak of ASLR from
    the executable (ET_DYN), it means a leak of shared library offset as
    well (mmap), and vice versa.  Further details and a PoC of this attack
    is available here:
    
      http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
    
    With this patch, a PIE linked executable (ET_DYN) has its own ASLR
    region:
    
      $ ./show_mmaps_pie
      54859ccd6000-54859ccd7000 r-xp  ...  /tmp/show_mmaps_pie
      54859ced6000-54859ced7000 r--p  ...  /tmp/show_mmaps_pie
      54859ced7000-54859ced8000 rw-p  ...  /tmp/show_mmaps_pie
      7f75be764000-7f75be91f000 r-xp  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75be91f000-7f75beb1f000 ---p  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75beb1f000-7f75beb23000 r--p  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75beb23000-7f75beb25000 rw-p  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75beb25000-7f75beb2a000 rw-p  ...
      7f75beb2a000-7f75beb4d000 r-xp  ...  /lib64/ld-linux-x86-64.so.2
      7f75bed45000-7f75bed46000 rw-p  ...
      7f75bed46000-7f75bed47000 r-xp  ...
      7f75bed47000-7f75bed4c000 rw-p  ...
      7f75bed4c000-7f75bed4d000 r--p  ...  /lib64/ld-linux-x86-64.so.2
      7f75bed4d000-7f75bed4e000 rw-p  ...  /lib64/ld-linux-x86-64.so.2
      7f75bed4e000-7f75bed4f000 rw-p  ...
      7fffb3741000-7fffb3762000 rw-p  ...  [stack]
      7fffb377b000-7fffb377d000 r--p  ...  [vvar]
      7fffb377d000-7fffb377f000 r-xp  ...  [vdso]
    
    The change is to add a call the newly created arch_mmap_rnd() into the
    ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR,
    as was already done on s390.  Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE,
    which is no longer needed.
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reported-by: default avatarHector Marco-Gisbert <hecmargi@upv.es>
    Cc: Russell King <linux@arm.linux.org.uk>
    Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: "David A. Long" <dave.long@linaro.org>
    Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
    Cc: Arun Chandran <achandran@mvista.com>
    Cc: Yann Droneaud <ydroneaud@opteya.com>
    Cc: Min-Hua Chen <orca.chen@gmail.com>
    Cc: Paul Burton <paul.burton@imgtec.com>
    Cc: Alex Smith <alex@alex-smith.me.uk>
    Cc: Markos Chandras <markos.chandras@imgtec.com>
    Cc: Vineeth Vijayan <vvijayan@mvista.com>
    Cc: Jeff Bailey <jeffbailey@google.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Cc: Ben Hutchings <ben@decadent.org.uk>
    Cc: Behan Webster <behanw@converseincode.com>
    Cc: Ismael Ripoll <iripoll@upv.es>
    Cc: Jan-Simon Mller <dl9pf@gmx.de>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    d1fd836d
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt/kvm Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...