Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4274337ybi;
        Mon, 29 Jul 2019 23:00:20 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw1Fm1FeyIkt3+DFU08QjBaavJW2AcCHt7gdhqMhq3BDsORYymjNSetbBu0J/Hf0XJpiqje
X-Received: by 2002:a62:5253:: with SMTP id g80mr39995557pfb.179.1564466420236;
        Mon, 29 Jul 2019 23:00:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564466420; cv=none;
        d=google.com; s=arc-20160816;
        b=lqWALV6R1SxrPEQ7o/Z596GycqjI2x+VtbB2wcBGjkQCT6oKQLq6ACH29Ud0Oaha0P
         GOH4uJiNurJV3+9BaSVyFyhBVzZRUYO3e9rupB98LlHK3eaNs57l1hrDYxHPluUE2Apq
         bnQdnQDOSH3qGQAAf3eHCPWVmMOj6s5RSvq+XMys2aInlat1O5M6zFsYfEuTkmwClXqn
         7ZcE6Tu0I+tUYeQ5tNRcrg6qYpJVp2md4GOW75Zr4k9ggdpASz1o3PqgKhEGUNO6Heq2
         7FolAdBB9E7dvoNDDvBShTnDqLRDVBKA0MtmdlxzPMl3+bevX5fWTDUoJj1lE1r/iL2i
         vIRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=YZ8ZDa5fjhVGCpa5uTOJ4ph5qfPU03u2zQI/CbeOnRM=;
        b=SvVLWi17nrc7yfc+VqJuo2fpFdNPh1a1+6PT+v+xTUUTMG6+2wDjbcdA2AQygcVLQS
         D3obyXWCYlIfr+jKvf8HWYNH7Mhu2Azy9vSXtsc2zqyOZTYc2x6bjefyUuacEzUfwP+J
         6muiNfG/iiNmBXy+cfTyW7tnIu8wHnhFaq0uBwrd9VN6Basl5CS00k1PGg2T+qzcIjG8
         K0DU6dfKem/K7H7wojH4hvAgbibrzMcDpoxbeGwDdMbh5A6PLIAWV9l1ZLhMdzYsY9CW
         PmzlcScjI4zA1uj8OP7Nyv8V3bbaycjs0XmPtIvwymYYwYDOKm4grrcW66NKpL/GyAyM
         C48Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c16si54844588pjq.20.2019.07.29.23.00.05;
        Mon, 29 Jul 2019 23:00:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726767AbfG3F6E (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Tue, 30 Jul 2019 01:58:04 -0400
Received: from relay1-d.mail.gandi.net ([217.70.183.193]:35885 "EHLO
        relay1-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726033AbfG3F6E (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Jul 2019 01:58:04 -0400
X-Originating-IP: 79.86.19.127
Received: from alex.numericable.fr (127.19.86.79.rev.sfr.net [79.86.19.127])
        (Authenticated sender: alex@ghiti.fr)
        by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 4FBB7240007;
        Tue, 30 Jul 2019 05:57:58 +0000 (UTC)
From:   Alexandre Ghiti <alex@ghiti.fr>
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     Luis Chamberlain <mcgrof@kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Russell King <linux@armlinux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Ralf Baechle <ralf@linux-mips.org>,
        Paul Burton <paul.burton@mips.com>,
        James Hogan <jhogan@kernel.org>,
        Palmer Dabbelt <palmer@sifive.com>,
        Albert Ou <aou@eecs.berkeley.edu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Kees Cook <keescook@chromium.org>,
        linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        linux-mips@vger.kernel.org, linux-riscv@lists.infradead.org,
        linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
        Alexandre Ghiti <alex@ghiti.fr>
Subject: [PATCH v5 06/14] arm: Properly account for stack randomization and stack guard gap
Date:   Tue, 30 Jul 2019 01:51:05 -0400
Message-Id: <20190730055113.23635-7-alex@ghiti.fr>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190730055113.23635-1-alex@ghiti.fr>
References: <20190730055113.23635-1-alex@ghiti.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for randomization.
This fixes the problem uncovered and not fixed for arm here:
https://lkml.kernel.org/r/20170622200033.25714-1-riel@redhat.com

Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
---
 arch/arm/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index f866870db749..bff3d00bda5b 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -18,8 +18,9 @@
 	 (((pgoff)<<PAGE_SHIFT) & (SHMLBA-1)))
 
 /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAP		(128*1024*1024UL)
+#define MAX_GAP		((TASK_SIZE)/6*5)
+#define STACK_RND_MASK	(0x7ff >> (PAGE_SHIFT - 12))
 
 static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -35,6 +36,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
 	unsigned long gap = rlim_stack->rlim_cur;
+	unsigned long pad = stack_guard_gap;
+
+	/* Account for stack randomization if necessary */
+	if (current->flags & PF_RANDOMIZE)
+		pad += (STACK_RND_MASK << PAGE_SHIFT);
+
+	/* Values close to RLIM_INFINITY can overflow. */
+	if (gap + pad > gap)
+		gap += pad;
 
 	if (gap < MIN_GAP)
 		gap = MIN_GAP;
-- 
2.20.1