Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp2284629imc;
        Tue, 12 Mar 2019 10:34:17 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzfORXMf+JTsHsdESTk0Msk1YLI3MVktaP7TUv7n2zNrZQ9u+IqDIoU8My86BKDkEI/jHbR
X-Received: by 2002:a63:3548:: with SMTP id c69mr36598543pga.256.1552412057888;
        Tue, 12 Mar 2019 10:34:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552412057; cv=none;
        d=google.com; s=arc-20160816;
        b=ZNuomaWQysI//CkX17GZCHLIETpeMtlDI2zHo0ZhqJpEpkBFBuEJRznugUg+26XewA
         pxMoSX1oPDTETLWQKm5qatF5h4Y7o296oBdmUXrN+yzhr7whp7AQLJO7+lc80/8R4Dcs
         TCDw+0snLCu1EeDdjbCqW1g9rBliUD+Ldg9SyAEzf+sArvrJ55uz8rgtx3JNL++jBdRm
         l1NfJeJQEFP3BZv7kLmFOjX6TF119Vtg9xerNLVRnmzmgXlnpmic7TZmdZX3ssIHs5ft
         O3iq5HB7uGsVX3O/kFKCzxQtidL6z15nqzBpaC69+YmC1hNmk8JRPJfAKVWuclcGJIjd
         3PYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=jKqOztkO6Tw7b7bLjzZbKzMPNWbtoN0lKwLRS/I16E8=;
        b=VQ8RHWvnXe5GHDO8vmyK5P1e070XFFUV6vydNG7zfqWZs+dF+anTqk86ZHU+/QZth1
         1LbzYKDD9pzBl0RvbHFOknI5wQGXee9cMf7rl/AsStjOk/Bh0pM41Nw0KQHg4TVJUDZb
         pCoHdZF1/3m7IN7fao+8k0V2V0lzWUlkcC5cuOilMR6J2AEEdiKR99Z6tS5FG1U6Avre
         nc59l57qelQHm1H9N/JK07R8sv4TJ3+B1xFC2JA8afbOH1L5dtCyONWp/NUAuXp2ujRi
         RV4WPj0lYqRUJUsbypyf+oBo/62hlaZKKjdO2BxRjBtaWYyBfnAtik9p3M91bdY0BTpd
         0C5g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=UJyvOwxP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b13si7627515pgt.374.2019.03.12.10.34.02;
        Tue, 12 Mar 2019 10:34:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=UJyvOwxP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729724AbfCLRdH (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Tue, 12 Mar 2019 13:33:07 -0400
Received: from smtp-fw-9101.amazon.com ([207.171.184.25]:64543 "EHLO
        smtp-fw-9101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729682AbfCLRdH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Mar 2019 13:33:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
  t=1552411986; x=1583947986;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=jKqOztkO6Tw7b7bLjzZbKzMPNWbtoN0lKwLRS/I16E8=;
  b=UJyvOwxP5V8ZTt0XCcRVArJ7mvLpOcnR5ylxzwZSHMCbLbmgRy2OD5TI
   88vlzOB7tKnNa1hFItMJwFCncUgxe3f6PFVkjW/6Z7UV0UkVX5mnvTj1Y
   5QQIUAbwBVaasMXQ+Mw+Hv/II9yYdXIYx5E18EhQto/NP5gsudwP26HI3
   w=;
X-IronPort-AV: E=Sophos;i="5.58,471,1544486400"; 
   d="scan'208";a="792967971"
Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-1e-303d0b0e.us-east-1.amazon.com) ([10.47.22.38])
  by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 12 Mar 2019 17:33:05 +0000
Received: from EX13MTAUWA001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162])
        by email-inbound-relay-1e-303d0b0e.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id x2CHWtLn091501
        (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL);
        Tue, 12 Mar 2019 17:32:59 GMT
Received: from EX13d09UWA003.ant.amazon.com (10.43.160.227) by
 EX13MTAUWA001.ant.amazon.com (10.43.160.58) with Microsoft SMTP Server (TLS)
 id 15.0.1367.3; Tue, 12 Mar 2019 17:32:58 +0000
Received: from EX13MTAUWA001.ant.amazon.com (10.43.160.58) by
 EX13d09UWA003.ant.amazon.com (10.43.160.227) with Microsoft SMTP Server (TLS)
 id 15.0.1367.3; Tue, 12 Mar 2019 17:32:57 +0000
Received: from dev-dsk-alisaidi-i31e-4ac69482.us-east-1.amazon.com
 (10.200.136.151) by mail-relay.amazon.com (10.43.160.118) with Microsoft SMTP
 Server id 15.0.1367.3 via Frontend Transport; Tue, 12 Mar 2019 17:32:57 +0000
Received: by dev-dsk-alisaidi-i31e-4ac69482.us-east-1.amazon.com (Postfix, from userid 5131138)
        id 1480147D3F; Tue, 12 Mar 2019 17:32:57 +0000 (UTC)
From:   Ali Saidi <alisaidi@amazon.com>
To:     <linux-kernel@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>, <x86@kernel.org>
CC:     "H. Peter Anvin" <hpa@zytor.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Ali Saidi <alisaidi@amazon.com>,
        Kees Cook <keescook@chromium.org>,
        Borislav Petkov <bp@alien8.de>, Ingo Molnar <mingo@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Will Deacon <will.deacon@arm.com>,
        "Catalin Marinas" <catalin.marinas@arm.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Anthony Liguori <aliguori@amazon.com>
Subject: [PATCH 2/2] x86/mmap: handle worst-case heap randomization in mmap_base
Date:   Tue, 12 Mar 2019 17:32:48 +0000
Message-ID: <20190312173248.13490-3-alisaidi@amazon.com>
X-Mailer: git-send-email 2.15.3.AMZN
In-Reply-To: <20190312173248.13490-1-alisaidi@amazon.com>
References: <20190312173248.13490-1-alisaidi@amazon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Increase mmap_base by the worst-case brk randomization so that
the stack and heap remain apart.

In Linux 4.13 a change was committed that special cased the kernel ELF
loader when the loader is invoked directly (eab09532d400; binfmt_elf: use
ELF_ET_DYN_BASE only for PIE). Generally, the loader isn’t invoked
directly and this issue is limited to cases where it is, (e.g to set a
non-inheritable LD_LIBRARY_PATH, testing new versions of the loader). In
those rare cases, the loader doesn't take into account the amount of brk
randomization that will be applied by arch_randomize_brk(). This can
lead to the stack and heap being arbitrarily close to each other.

Signed-off-by: Ali Saidi <alisaidi@amazon.com>
---
 arch/x86/mm/mmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index db3165714521..98a2875c37e3 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -31,6 +31,7 @@
 #include <linux/sched/signal.h>
 #include <linux/sched/mm.h>
 #include <linux/compat.h>
+#include <linux/sizes.h>
 #include <asm/elf.h>
 
 #include "physaddr.h"
@@ -97,6 +98,9 @@ static unsigned long mmap_base(unsigned long rnd, unsigned long task_size,
 	unsigned long pad = stack_maxrandom_size(task_size) + stack_guard_gap;
 	unsigned long gap_min, gap_max;
 
+	/* Provide space for brk randomization */
+	pad += SZ_32M;
+
 	/* Values close to RLIM_INFINITY can overflow. */
 	if (gap + pad > gap)
 		gap += pad;
-- 
2.15.3.AMZN