Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp6022507ybn;
        Sun, 29 Sep 2019 10:38:19 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyUKngmoTBxmteZ/zhKiAZ1f2VVGgf+UhCzWaT6QnLI7sJN8pYcIB5ECBXjbVGRRDuAo/m7
X-Received: by 2002:a50:d090:: with SMTP id v16mr15655534edd.176.1569778699303;
        Sun, 29 Sep 2019 10:38:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569778699; cv=none;
        d=google.com; s=arc-20160816;
        b=FpX6RhLkRGf7eErWJ/xF/Ig8jb1Xr6mAHMYUmibethzNEbAiiB6c1+TnP9rPG8r9xU
         E+2S3Sm+Tw9LBmnTxaiqtqmaKlfxo6ivtm9MoB2MBfgeOWOOhV8+V8Tgvih0gKt74ly/
         z6WdkG076+ymqN5cPRw/JtTFSXaezSNy+J3MKH2+pUF7QVhRQ6L1K3ps72r6AjnOjt9D
         YFCKr89ai+Bp+ghxh0K9mJDLFLv49wHsSq3Fn2s1Qp1v5U+2InuLnnZLtPVt+u05/1ey
         1gOss15MicpA2qwvTfjVR7sHdm3G7JS2ftDOHbIJjBITr8IqMqM9NiNbmI1I0eseCieZ
         8rFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=LksO9dbgKXqQNQjwizC93989tPrhA41Z45Fd5+Nj6GQ=;
        b=xwKYz1UdK4BvRs/6Iws0flGLnRMwEHK9moMXl0UI+GGSH8CElapSq0/ULJtX1Sfhad
         eepe1PZR03xAE9YCZVLElB1+bKkf+4MKiaxtyCBxjHq9FYTbr2oOUk6FTYs1Bf5z1fk6
         z4BU8kqzu6tpmAnfhOoo/QFV1Gwf39N81Z2HwB6RqqYW8A+xkL8s24R3Hj3nfmnTtlOb
         TUigMKYyZFlquhXIBzty0DYgXfDStyJ4K04Nl8n4/JB1tFUQDQ+N1BGHR6Bp/PNz5GdO
         2xO9ViqxBCZqHHTYVN4s7Ij50f3E4OA9eX5ySMF0ufBVCQL0Ezf/tcSZO/jXJi/oFcSG
         iB5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=PHretzD1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f21si5590938edb.379.2019.09.29.10.37.54;
        Sun, 29 Sep 2019 10:38:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=PHretzD1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730601AbfI2Rfc (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Sun, 29 Sep 2019 13:35:32 -0400
Received: from mail.kernel.org ([198.145.29.99]:47614 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730596AbfI2Rfa (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Sep 2019 13:35:30 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6CCB921925;
        Sun, 29 Sep 2019 17:35:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1569778529;
        bh=lDQ0vRak90qAKBGgcQOhzIF+hJtm9oHmlBRzBXpF70A=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=PHretzD14Pb8cRSpZpg/8VZhObWYSJdtGiZFwYl7IPxnueSea9y+xfIk/WY+5Y2/0
         9cEtGGcQgHFVNxVzuTdghkXHAKF1W3FPmKvSK8UaM0g2yhoFSWGEWmgisfxtrS18Cb
         82s/veVUBWfPNh0DMWILqKGJDmtJoYEM6KojRj9E=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Alexandre Ghiti <alex@ghiti.fr>, Kees Cook <keescook@chromium.org>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Albert Ou <aou@eecs.berkeley.edu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Christoph Hellwig <hch@infradead.org>,
        Christoph Hellwig <hch@lst.de>,
        James Hogan <jhogan@kernel.org>,
        Palmer Dabbelt <palmer@sifive.com>,
        Paul Burton <paul.burton@mips.com>,
        Ralf Baechle <ralf@linux-mips.org>,
        Russell King <linux@armlinux.org.uk>,
        Will Deacon <will.deacon@arm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.19 32/33] arm: properly account for stack randomization and stack guard gap
Date:   Sun, 29 Sep 2019 13:34:20 -0400
Message-Id: <20190929173424.9361-32-sashal@kernel.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190929173424.9361-1-sashal@kernel.org>
References: <20190929173424.9361-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Alexandre Ghiti <alex@ghiti.fr>

[ Upstream commit af0f4297286f13a75edf93677b1fb2fc16c412a7 ]

This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for
randomization.  This fixes the problem uncovered and not fixed for arm
here: https://lkml.kernel.org/r/20170622200033.25714-1-riel@redhat.com

Link: http://lkml.kernel.org/r/20190730055113.23635-7-alex@ghiti.fr
Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James Hogan <jhogan@kernel.org>
Cc: Palmer Dabbelt <palmer@sifive.com>
Cc: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index f866870db749c..bff3d00bda5be 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -18,8 +18,9 @@
 	 (((pgoff)<<PAGE_SHIFT) & (SHMLBA-1)))
 
 /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAP		(128*1024*1024UL)
+#define MAX_GAP		((TASK_SIZE)/6*5)
+#define STACK_RND_MASK	(0x7ff >> (PAGE_SHIFT - 12))
 
 static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -35,6 +36,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
 	unsigned long gap = rlim_stack->rlim_cur;
+	unsigned long pad = stack_guard_gap;
+
+	/* Account for stack randomization if necessary */
+	if (current->flags & PF_RANDOMIZE)
+		pad += (STACK_RND_MASK << PAGE_SHIFT);
+
+	/* Values close to RLIM_INFINITY can overflow. */
+	if (gap + pad > gap)
+		gap += pad;
 
 	if (gap < MIN_GAP)
 		gap = MIN_GAP;
-- 
2.20.1