Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6402719ybh;
        Wed, 7 Aug 2019 23:26:54 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxv5eCZ9CjDQMiMjANiYnsqCJvExJVQGwRLie6UG1q5k0QY0XWG4pmfo3GXPmiCF2aDR8OW
X-Received: by 2002:a17:90a:f488:: with SMTP id bx8mr2329800pjb.91.1565245614272;
        Wed, 07 Aug 2019 23:26:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1565245614; cv=none;
        d=google.com; s=arc-20160816;
        b=yKQiWbhTd+S7kBYl9pbsmriI40I1+K3vn8cH25FYeKSRIGyhL1ktMZ5nSyYBoIz63N
         qtFT1iFC8tem25Z+Cv+IOFh+Vt7hECGozZ5NKR8G0uaUx/NtLl6v0XCJeB3aC11lQRRx
         S1Gvty+6VsJej0vouk+TH8Bn/IeuNq+Hy1n/d17AcNJHGNPKIAXgZPyRshJcxooLeiF1
         LsjaWeRiS8A95VoI6sdLL8O+Se1MF/Y8e6F3gp8Bml+OKGjkb5ilgJzc4tFsFy8XwGTk
         lLn3pgh/xG0JIsjWnYRrI0EMf9DSHv6iKRaUA5JzachYp7iYOSnl6SSF43QUZahJm3YB
         n6XQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=wVOEOj3ZQH/LmpW3WBqdwFnDIfuDrBVXLtErTwdcowY=;
        b=MlJWU3MfXTfBN0SeC6FUD9aFPlS9aBYJLwABuGD0QbFZfCdDbwqt2yWh0/PVEu9ahV
         f4jzYfu04rf6ufiOWIru+mv5WSVuQlM6+0vgHQU5m7iUrFNJB6f9GnGvInARSvL5afCN
         ZR58BqwSzrGf3D0aHMbl5Zq4dgg9eqKY/CQtFSIgdlLB9WvF8FA8v1Lk0beLVXR7692e
         HgchM3bm7sVW00iaK6Tf5HZYOQaBPkZD0l6k2YlwrT8A6LRptgFgdybG/WQyULxbY3qy
         WIXn8UwE9Ke/sJahYAHtnTqIhOnbl7erxyTB8yiZTjfctnOWs8aZii8lMGWhZSL2WEut
         jNLQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n1si1190337pjo.28.2019.08.07.23.26.39;
        Wed, 07 Aug 2019 23:26:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731264AbfHHGYm (ORCPT <rfc822;stevepeted@gmail.com>
        + 99 others); Thu, 8 Aug 2019 02:24:42 -0400
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:57413 "EHLO
        relay3-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726187AbfHHGYl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Aug 2019 02:24:41 -0400
X-Originating-IP: 79.86.19.127
Received: from alex.numericable.fr (127.19.86.79.rev.sfr.net [79.86.19.127])
        (Authenticated sender: alex@ghiti.fr)
        by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 94D2C6000B;
        Thu,  8 Aug 2019 06:24:35 +0000 (UTC)
From:   Alexandre Ghiti <alex@ghiti.fr>
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     Paul Walmsley <paul.walmsley@sifive.com>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Russell King <linux@armlinux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Ralf Baechle <ralf@linux-mips.org>,
        Paul Burton <paul.burton@mips.com>,
        James Hogan <jhogan@kernel.org>,
        Palmer Dabbelt <palmer@sifive.com>,
        Albert Ou <aou@eecs.berkeley.edu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Kees Cook <keescook@chromium.org>,
        linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        linux-mips@vger.kernel.org, linux-riscv@lists.infradead.org,
        linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
        Alexandre Ghiti <alex@ghiti.fr>
Subject: [PATCH v6 06/14] arm: Properly account for stack randomization and stack guard gap
Date:   Thu,  8 Aug 2019 02:17:48 -0400
Message-Id: <20190808061756.19712-7-alex@ghiti.fr>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190808061756.19712-1-alex@ghiti.fr>
References: <20190808061756.19712-1-alex@ghiti.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for randomization.

This fixes the problem uncovered and not fixed for arm here:
https://lkml.kernel.org/r/20170622200033.25714-1-riel@redhat.com

Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
---
 arch/arm/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index f866870db749..bff3d00bda5b 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -18,8 +18,9 @@
 	 (((pgoff)<<PAGE_SHIFT) & (SHMLBA-1)))
 
 /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAP		(128*1024*1024UL)
+#define MAX_GAP		((TASK_SIZE)/6*5)
+#define STACK_RND_MASK	(0x7ff >> (PAGE_SHIFT - 12))
 
 static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -35,6 +36,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
 	unsigned long gap = rlim_stack->rlim_cur;
+	unsigned long pad = stack_guard_gap;
+
+	/* Account for stack randomization if necessary */
+	if (current->flags & PF_RANDOMIZE)
+		pad += (STACK_RND_MASK << PAGE_SHIFT);
+
+	/* Values close to RLIM_INFINITY can overflow. */
+	if (gap + pad > gap)
+		gap += pad;
 
 	if (gap < MIN_GAP)
 		gap = MIN_GAP;
-- 
2.20.1