• Kees Cook's avatar
    mm: split ET_DYN ASLR from mmap ASLR · d1fd836d
    Kees Cook authored
    This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
    powerpc, and x86.  The problem is that if there is a leak of ASLR from
    the executable (ET_DYN), it means a leak of shared library offset as
    well (mmap), and vice versa.  Further details and a PoC of this attack
    is available here:
    
      http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
    
    With this patch, a PIE linked executable (ET_DYN) has its own ASLR
    region:
    
      $ ./show_mmaps_pie
      54859ccd6000-54859ccd7000 r-xp  ...  /tmp/show_mmaps_pie
      54859ced6000-54859ced7000 r--p  ...  /tmp/show_mmaps_pie
      54859ced7000-54859ced8000 rw-p  ...  /tmp/show_mmaps_pie
      7f75be764000-7f75be91f000 r-xp  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75be91f000-7f75beb1f000 ---p  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75beb1f000-7f75beb23000 r--p  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75beb23000-7f75beb25000 rw-p  ...  /lib/x86_64-linux-gnu/libc.so.6
      7f75beb25000-7f75beb2a000 rw-p  ...
      7f75beb2a000-7f75beb4d000 r-xp  ...  /lib64/ld-linux-x86-64.so.2
      7f75bed45000-7f75bed46000 rw-p  ...
      7f75bed46000-7f75bed47000 r-xp  ...
      7f75bed47000-7f75bed4c000 rw-p  ...
      7f75bed4c000-7f75bed4d000 r--p  ...  /lib64/ld-linux-x86-64.so.2
      7f75bed4d000-7f75bed4e000 rw-p  ...  /lib64/ld-linux-x86-64.so.2
      7f75bed4e000-7f75bed4f000 rw-p  ...
      7fffb3741000-7fffb3762000 rw-p  ...  [stack]
      7fffb377b000-7fffb377d000 r--p  ...  [vvar]
      7fffb377d000-7fffb377f000 r-xp  ...  [vdso]
    
    The change is to add a call the newly created arch_mmap_rnd() into the
    ELF loader for handling ET_DYN ASLR in a separate region from mmap ASLR,
    as was already done on s390.  Removes CONFIG_BINFMT_ELF_RANDOMIZE_PIE,
    which is no longer needed.
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reported-by: default avatarHector Marco-Gisbert <hecmargi@upv.es>
    Cc: Russell King <linux@arm.linux.org.uk>
    Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: "David A. Long" <dave.long@linaro.org>
    Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
    Cc: Arun Chandran <achandran@mvista.com>
    Cc: Yann Droneaud <ydroneaud@opteya.com>
    Cc: Min-Hua Chen <orca.chen@gmail.com>
    Cc: Paul Burton <paul.burton@imgtec.com>
    Cc: Alex Smith <alex@alex-smith.me.uk>
    Cc: Markos Chandras <markos.chandras@imgtec.com>
    Cc: Vineeth Vijayan <vvijayan@mvista.com>
    Cc: Jeff Bailey <jeffbailey@google.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Cc: Ben Hutchings <ben@decadent.org.uk>
    Cc: Behan Webster <behanw@converseincode.com>
    Cc: Ismael Ripoll <iripoll@upv.es>
    Cc: Jan-Simon Mller <dl9pf@gmx.de>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    d1fd836d
Name
Last commit
Last update
..
9p Loading commit data...
adfs Loading commit data...
affs Loading commit data...
afs Loading commit data...
autofs4 Loading commit data...
befs Loading commit data...
bfs Loading commit data...
btrfs Loading commit data...
cachefiles Loading commit data...
ceph Loading commit data...
cifs Loading commit data...
coda Loading commit data...
configfs Loading commit data...
cramfs Loading commit data...
debugfs Loading commit data...
devpts Loading commit data...
dlm Loading commit data...
ecryptfs Loading commit data...
efivarfs Loading commit data...
efs Loading commit data...
exofs Loading commit data...
exportfs Loading commit data...
ext2 Loading commit data...
ext3 Loading commit data...
ext4 Loading commit data...
f2fs Loading commit data...
fat Loading commit data...
freevxfs Loading commit data...
fscache Loading commit data...
fuse Loading commit data...
gfs2 Loading commit data...
hfs Loading commit data...
hfsplus Loading commit data...
hostfs Loading commit data...
hpfs Loading commit data...
hppfs Loading commit data...
hugetlbfs Loading commit data...
isofs Loading commit data...
jbd Loading commit data...
jbd2 Loading commit data...
jffs2 Loading commit data...
jfs Loading commit data...
kernfs Loading commit data...
lockd Loading commit data...
logfs Loading commit data...
minix Loading commit data...
ncpfs Loading commit data...
nfs Loading commit data...
nfs_common Loading commit data...
nfsd Loading commit data...
nilfs2 Loading commit data...
nls Loading commit data...
notify Loading commit data...
ntfs Loading commit data...
ocfs2 Loading commit data...
omfs Loading commit data...
openpromfs Loading commit data...
overlayfs Loading commit data...
proc Loading commit data...
pstore Loading commit data...
qnx4 Loading commit data...
qnx6 Loading commit data...
quota Loading commit data...
ramfs Loading commit data...
reiserfs Loading commit data...
romfs Loading commit data...
squashfs Loading commit data...
sysfs Loading commit data...
sysv Loading commit data...
ubifs Loading commit data...
udf Loading commit data...
ufs Loading commit data...
xfs Loading commit data...
Kconfig Loading commit data...
Kconfig.binfmt Loading commit data...
Makefile Loading commit data...
aio.c Loading commit data...
anon_inodes.c Loading commit data...
attr.c Loading commit data...
bad_inode.c Loading commit data...
binfmt_aout.c Loading commit data...
binfmt_elf.c Loading commit data...
binfmt_elf_fdpic.c Loading commit data...
binfmt_em86.c Loading commit data...
binfmt_flat.c Loading commit data...
binfmt_misc.c Loading commit data...
binfmt_script.c Loading commit data...
block_dev.c Loading commit data...
buffer.c Loading commit data...
char_dev.c Loading commit data...
compat.c Loading commit data...
compat_binfmt_elf.c Loading commit data...
compat_ioctl.c Loading commit data...
coredump.c Loading commit data...
dax.c Loading commit data...
dcache.c Loading commit data...
dcookies.c Loading commit data...
direct-io.c Loading commit data...
drop_caches.c Loading commit data...
eventfd.c Loading commit data...
eventpoll.c Loading commit data...
exec.c Loading commit data...
fcntl.c Loading commit data...
fhandle.c Loading commit data...
file.c Loading commit data...
file_table.c Loading commit data...
filesystems.c Loading commit data...
fs-writeback.c Loading commit data...
fs_pin.c Loading commit data...
fs_struct.c Loading commit data...
inode.c Loading commit data...
internal.h Loading commit data...
ioctl.c Loading commit data...
libfs.c Loading commit data...
locks.c Loading commit data...
mbcache.c Loading commit data...
mount.h Loading commit data...
mpage.c Loading commit data...
namei.c Loading commit data...
namespace.c Loading commit data...
no-block.c Loading commit data...
nsfs.c Loading commit data...
open.c Loading commit data...
pipe.c Loading commit data...
pnode.c Loading commit data...
pnode.h Loading commit data...
posix_acl.c Loading commit data...
proc_namespace.c Loading commit data...
read_write.c Loading commit data...
readdir.c Loading commit data...
select.c Loading commit data...
seq_file.c Loading commit data...
signalfd.c Loading commit data...
splice.c Loading commit data...
stack.c Loading commit data...
stat.c Loading commit data...
statfs.c Loading commit data...
super.c Loading commit data...
sync.c Loading commit data...
timerfd.c Loading commit data...
utimes.c Loading commit data...
xattr.c Loading commit data...