Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp6022536ybn;
        Sun, 29 Sep 2019 10:38:23 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwIo0xYEWsPk5pG8IlDQTz+dYa3p9fRU8afWvzmcaU0ZHpQt72Wm46GB4WlehdqAsaYiaPA
X-Received: by 2002:a50:91d8:: with SMTP id h24mr15414188eda.61.1569778702898;
        Sun, 29 Sep 2019 10:38:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569778702; cv=none;
        d=google.com; s=arc-20160816;
        b=tLBTnSD5mFI9IW1xlCB/PH//Ufw9j0mnQdlKtJLc3q6P7uMqxP00oP3MOxPgj8ZeCL
         6hd6cqEvMslFdO+ztD7joPYpX3Q3+tQ7qrN6DQSu2CASalsETzmHllBNcu3qT7/qiW1m
         T9GLQt09R4W+WG7Zg8iLyPV3YYZRHtEWQNiUFtB2OVG71ZSBGbT468o7lnsVbcRlX/4x
         eayl26OOaOBcUmmdvtnUC9EX3irRRdEtZMs3YRKUT2qDTtKCZ7XC+gUk6AMfS8FiPmxm
         LQ1VswY6cu3q+epYfszj90c8UFibglSiJOwccj4EkcLgT9TdZkZVeXmBPq6I4xBBDXKX
         eySA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=RMcWyrERmhPTqB2HUUy3EQKkgK1aRGuW9jjlb885f7c=;
        b=cRbarvxe92e3ImTmBQsq36hJlo0Zdu0iYoZwjVu/YmNB5cWiuxbZJc9zsJ6bavYFiq
         RZn0co7GvLdV/tdr4x7bAmkkJNB9HCYv/MFUCqnWqR2ETXS4U39xXWa/DZP8MbQiv+u8
         3PYGZ191paE/r8weyWhCDhDVDS2thJE+wikkgAJTulbCNFlBuvS3hc0btYn6/iXGpBvZ
         wizmBY/hduOE0kL1+zyf8Piq5KqpcNha/QbUfm5Z2L2Mi8m0V+BZ/qWgyUOJBhXYi6lX
         GU0xz3OclJGLhSTVFVk32Ty+mIzjq6Q9mi/D0ZvkJb/iIbVePUgvwLs+zxfnCMpASDqb
         3OWw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=1e7wmXLj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j21si5397705edr.376.2019.09.29.10.37.58;
        Sun, 29 Sep 2019 10:38:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=1e7wmXLj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729698AbfI2Rf3 (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Sun, 29 Sep 2019 13:35:29 -0400
Received: from mail.kernel.org ([198.145.29.99]:47540 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730584AbfI2Rf1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Sep 2019 13:35:27 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id DAF3E21906;
        Sun, 29 Sep 2019 17:35:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1569778525;
        bh=tCk26d+T+swVc3fMXQW/oo8S60/G6LbT8f9nF49ey3U=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=1e7wmXLjz3x8kgCuOSkFGVfqZj5NGaeKLylt4DRv+nDmV6eyATsf5sjupvqdUFuEH
         8p9kN2GrqOzkkVZIXMLjA0CwvaJxX/hLg90/ZT31bSo+EV+sFzphDSShxto8QZROb6
         oKqS4MqlZPhxwvCw3Jr1aSPdkKH5lJKFY7HVSonk=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Alexandre Ghiti <alex@ghiti.fr>, Kees Cook <keescook@chromium.org>,
        Paul Burton <paul.burton@mips.com>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Albert Ou <aou@eecs.berkeley.edu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Christoph Hellwig <hch@infradead.org>,
        Christoph Hellwig <hch@lst.de>,
        James Hogan <jhogan@kernel.org>,
        Palmer Dabbelt <palmer@sifive.com>,
        Ralf Baechle <ralf@linux-mips.org>,
        Russell King <linux@armlinux.org.uk>,
        Will Deacon <will.deacon@arm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <sashal@kernel.org>, linux-mips@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 31/33] mips: properly account for stack randomization and stack guard gap
Date:   Sun, 29 Sep 2019 13:34:19 -0400
Message-Id: <20190929173424.9361-31-sashal@kernel.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190929173424.9361-1-sashal@kernel.org>
References: <20190929173424.9361-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Alexandre Ghiti <alex@ghiti.fr>

[ Upstream commit b1f61b5bde3a1f50392c97b4c8513d1b8efb1cf2 ]

This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for
randomization.  This fixes the problem uncovered and not fixed for arm
here: https://lkml.kernel.org/r/20170622200033.25714-1-riel@redhat.com

Link: http://lkml.kernel.org/r/20190730055113.23635-10-alex@ghiti.fr
Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Paul Burton <paul.burton@mips.com>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James Hogan <jhogan@kernel.org>
Cc: Palmer Dabbelt <palmer@sifive.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
index 1b705fb2f10c4..233033f99d8fc 100644
--- a/arch/mips/mm/mmap.c
+++ b/arch/mips/mm/mmap.c
@@ -21,8 +21,9 @@ unsigned long shm_align_mask = PAGE_SIZE - 1;	/* Sane caches */
 EXPORT_SYMBOL(shm_align_mask);
 
 /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAP		(128*1024*1024UL)
+#define MAX_GAP		((TASK_SIZE)/6*5)
+#define STACK_RND_MASK	(0x7ff >> (PAGE_SHIFT - 12))
 
 static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -38,6 +39,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
 	unsigned long gap = rlim_stack->rlim_cur;
+	unsigned long pad = stack_guard_gap;
+
+	/* Account for stack randomization if necessary */
+	if (current->flags & PF_RANDOMIZE)
+		pad += (STACK_RND_MASK << PAGE_SHIFT);
+
+	/* Values close to RLIM_INFINITY can overflow. */
+	if (gap + pad > gap)
+		gap += pad;
 
 	if (gap < MIN_GAP)
 		gap = MIN_GAP;
-- 
2.20.1