Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3382256ybp;
        Sun, 6 Oct 2019 10:42:12 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyHk/0lOS8ivrgLAWQRuDVQwFZfg7idAQE0HYGsEIPX8S5kw0b63plfMSGBsdB9L8ScuA1r
X-Received: by 2002:a17:906:7e06:: with SMTP id e6mr20440336ejr.149.1570383732234;
        Sun, 06 Oct 2019 10:42:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570383732; cv=none;
        d=google.com; s=arc-20160816;
        b=kkiWI/UQXhO+3td5t5AZtWZs0OPYerEUaBbRhHlOEJ0ANdKhBHYQat//7Js929mXgG
         psEHysl9xv6TKI0hB59n91UgiSsYJ7yKf3YD5+TkjPv31wf163iGEGCAL6fLwJ7mg3Dq
         D0IvCiU6TDYQBrQSI9mhZwTHcMlu8sxFZTE02u5hi64Xu4QZxfmlawQEOETrGXcWnBy5
         Rl7f2wovbt0+C54n1W6ZzluvfJVIx/kLezefS5It9ZDXExBUwxxPOOOoWAsl247kvZ2/
         hq4+saKmYCB1unY4fkmZucILKomJtBLIqaUlCd1nZ2PmrPmph9rsPAhgEIfe0AtgV1+G
         2hLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=LksO9dbgKXqQNQjwizC93989tPrhA41Z45Fd5+Nj6GQ=;
        b=YsbJ4zGsDVMIWkKaUln9Bhv6C02Dm3TU0eoxDU/lMxeMuA0f353Ef0Gthn2lrMq+Yc
         4RErfGDA3H7/JNkMJFYCBh/GUix9AuTk67AkCrNi0nLkWgURIDKh+HpcyXcdNm0c9fS5
         lwhyEge+REWgo267of5ePoDeaj0AieIqNzlcOSXkST0HGfFbXBQpj38SRlQlDibShMqL
         nz+3lAPKJTNMQ0keAvvb9xRbYRGFYrI3IjdJkThTqEqIM/XFRhYpbnrZdqqyQknpJZZH
         BapaWnjXTyM9lXW+m6ypxP4h/In+DEdItiAfFiQvNyV9i9UfxHDPlkj997xDXNlqzwL3
         5lzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XNZ3LIem;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a24si5947569ejg.127.2019.10.06.10.41.48;
        Sun, 06 Oct 2019 10:42:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XNZ3LIem;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730620AbfJFRi1 (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 99 others); Sun, 6 Oct 2019 13:38:27 -0400
Received: from mail.kernel.org ([198.145.29.99]:37670 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730606AbfJFRiZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 6 Oct 2019 13:38:25 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E25DD2133F;
        Sun,  6 Oct 2019 17:38:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1570383505;
        bh=lDQ0vRak90qAKBGgcQOhzIF+hJtm9oHmlBRzBXpF70A=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XNZ3LIemQmo1Mj0kkih/Tn30sz5O02Jyxuv5G7XVIp4YCSa3GAqCWprxbQGk8SwPO
         TylztE/lJ0q2wl757GwbhB3Kn+Hx6mEJoUhjwWr+C9HCm1aahR1689HQiRHIkR9p0f
         FLo/pHa4Ku1pehXBD4o0c8JVMWMbRrShbUopQ0Yw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Alexandre Ghiti <alex@ghiti.fr>,
        Kees Cook <keescook@chromium.org>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Albert Ou <aou@eecs.berkeley.edu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Christoph Hellwig <hch@infradead.org>,
        Christoph Hellwig <hch@lst.de>,
        James Hogan <jhogan@kernel.org>,
        Palmer Dabbelt <palmer@sifive.com>,
        Paul Burton <paul.burton@mips.com>,
        Ralf Baechle <ralf@linux-mips.org>,
        Russell King <linux@armlinux.org.uk>,
        Will Deacon <will.deacon@arm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.2 127/137] arm: properly account for stack randomization and stack guard gap
Date:   Sun,  6 Oct 2019 19:21:51 +0200
Message-Id: <20191006171219.914144952@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191006171209.403038733@linuxfoundation.org>
References: <20191006171209.403038733@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Alexandre Ghiti <alex@ghiti.fr>

[ Upstream commit af0f4297286f13a75edf93677b1fb2fc16c412a7 ]

This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for
randomization.  This fixes the problem uncovered and not fixed for arm
here: https://lkml.kernel.org/r/20170622200033.25714-1-riel@redhat.com

Link: http://lkml.kernel.org/r/20190730055113.23635-7-alex@ghiti.fr
Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James Hogan <jhogan@kernel.org>
Cc: Palmer Dabbelt <palmer@sifive.com>
Cc: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index f866870db749c..bff3d00bda5be 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -18,8 +18,9 @@
 	 (((pgoff)<<PAGE_SHIFT) & (SHMLBA-1)))
 
 /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAP		(128*1024*1024UL)
+#define MAX_GAP		((TASK_SIZE)/6*5)
+#define STACK_RND_MASK	(0x7ff >> (PAGE_SHIFT - 12))
 
 static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -35,6 +36,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
 	unsigned long gap = rlim_stack->rlim_cur;
+	unsigned long pad = stack_guard_gap;
+
+	/* Account for stack randomization if necessary */
+	if (current->flags & PF_RANDOMIZE)
+		pad += (STACK_RND_MASK << PAGE_SHIFT);
+
+	/* Values close to RLIM_INFINITY can overflow. */
+	if (gap + pad > gap)
+		gap += pad;
 
 	if (gap < MIN_GAP)
 		gap = MIN_GAP;
-- 
2.20.1