Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3394432ybp;
        Sun, 6 Oct 2019 10:59:41 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzomr88zxmXtrND6SxdTytfXs7NWbN51TeQ+8YSmSJ/a4zAXKZ6JQNFGgJEPMEb7mvjsx+h
X-Received: by 2002:a50:cfc7:: with SMTP id i7mr24947660edk.89.1570384781569;
        Sun, 06 Oct 2019 10:59:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570384781; cv=none;
        d=google.com; s=arc-20160816;
        b=jqKZRIeuFMCj6UoP9RiliBtlN8jhTeUYACctoLd6o+4+VtF9564QGamyVH1hJ6L4fX
         cOaq2Ocql3jhw0udfojFX62qwKSeopD1Jhh0SvdHy60sGWY55uvdpvJuv2tpSabMIENf
         E72P/FFyMEYX2Fkto+nf+QhyEqh0WvqgiJIae516CtUJYu+nxfv7rW1NK9Kdg61B/VP4
         V2649r2hY4Yrp7NInxpGdcXqGC/oq/QQCahw43WkgH0UNbaY7FFgvvdssX03Xqkhoa5O
         1FsO6s7rHc6F6uFC+BKb3Q06lnvG6rXyEs4sBMalzbgUiYemciQQhsdIjlAHNh1J90PP
         IXxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=RMcWyrERmhPTqB2HUUy3EQKkgK1aRGuW9jjlb885f7c=;
        b=AvDvjzFLfcVFSQLHYdyg9tvVGjIDtI1GuatUwh3nAiq3b9rfyo/TJuoL/mNwQuBTSF
         7+g5fIegEYCd6X94mNzq6zJQxnpIcLQbF8oVmA2mo2OkqFF3/LFSZH34bD3BZixrpGsc
         gJTCZX2SgdIJ0PBrVXJSDUjb9C/7UK97iNtIMRMDXnomi1iDKaUCblmaNb6Go8Nvn2U1
         1WcVdwNEsRTJE54+NaxJUHfkenvCa+rHD6SkMDOmlIH99nQ3ALJShQaIz97n6MJpJh1I
         LTBfEzeEU9VavkHjwFPCC2UpvSKYmiInnoUKkoko+2SPV78QUfIThbnPmvUbBF8Sn6uu
         dp4A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ABqGAh9n;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id oq24si5945155ejb.202.2019.10.06.10.59.17;
        Sun, 06 Oct 2019 10:59:41 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ABqGAh9n;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729385AbfJFRbP (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 99 others); Sun, 6 Oct 2019 13:31:15 -0400
Received: from mail.kernel.org ([198.145.29.99]:57394 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727473AbfJFRbN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 6 Oct 2019 13:31:13 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 7BE7D2133F;
        Sun,  6 Oct 2019 17:31:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1570383073;
        bh=tCk26d+T+swVc3fMXQW/oo8S60/G6LbT8f9nF49ey3U=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ABqGAh9n61vwPNYvV2mFuM2X6wEFGSrYixA6Kj6nLtyWjm0ViDTxd+CI8uS5xXlF/
         YXQ1S8OCPlv6EnWbLUXr4TnhdX5IacQmpNuqbb/I1IZEw0Maw9h5zULMGYc6owAhbS
         2Vc+P4O/H2c3IgvK8uqml0vLH3eSsEMqMrBXnTCg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Alexandre Ghiti <alex@ghiti.fr>,
        Kees Cook <keescook@chromium.org>,
        Paul Burton <paul.burton@mips.com>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Albert Ou <aou@eecs.berkeley.edu>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Christoph Hellwig <hch@infradead.org>,
        Christoph Hellwig <hch@lst.de>,
        James Hogan <jhogan@kernel.org>,
        Palmer Dabbelt <palmer@sifive.com>,
        Ralf Baechle <ralf@linux-mips.org>,
        Russell King <linux@armlinux.org.uk>,
        Will Deacon <will.deacon@arm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 075/106] mips: properly account for stack randomization and stack guard gap
Date:   Sun,  6 Oct 2019 19:21:21 +0200
Message-Id: <20191006171155.204874463@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191006171124.641144086@linuxfoundation.org>
References: <20191006171124.641144086@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Alexandre Ghiti <alex@ghiti.fr>

[ Upstream commit b1f61b5bde3a1f50392c97b4c8513d1b8efb1cf2 ]

This commit takes care of stack randomization and stack guard gap when
computing mmap base address and checks if the task asked for
randomization.  This fixes the problem uncovered and not fixed for arm
here: https://lkml.kernel.org/r/20170622200033.25714-1-riel@redhat.com

Link: http://lkml.kernel.org/r/20190730055113.23635-10-alex@ghiti.fr
Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Paul Burton <paul.burton@mips.com>
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James Hogan <jhogan@kernel.org>
Cc: Palmer Dabbelt <palmer@sifive.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/mm/mmap.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
index 1b705fb2f10c4..233033f99d8fc 100644
--- a/arch/mips/mm/mmap.c
+++ b/arch/mips/mm/mmap.c
@@ -21,8 +21,9 @@ unsigned long shm_align_mask = PAGE_SIZE - 1;	/* Sane caches */
 EXPORT_SYMBOL(shm_align_mask);
 
 /* gap between mmap and stack */
-#define MIN_GAP (128*1024*1024UL)
-#define MAX_GAP ((TASK_SIZE)/6*5)
+#define MIN_GAP		(128*1024*1024UL)
+#define MAX_GAP		((TASK_SIZE)/6*5)
+#define STACK_RND_MASK	(0x7ff >> (PAGE_SHIFT - 12))
 
 static int mmap_is_legacy(struct rlimit *rlim_stack)
 {
@@ -38,6 +39,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack)
 static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack)
 {
 	unsigned long gap = rlim_stack->rlim_cur;
+	unsigned long pad = stack_guard_gap;
+
+	/* Account for stack randomization if necessary */
+	if (current->flags & PF_RANDOMIZE)
+		pad += (STACK_RND_MASK << PAGE_SHIFT);
+
+	/* Values close to RLIM_INFINITY can overflow. */
+	if (gap + pad > gap)
+		gap += pad;
 
 	if (gap < MIN_GAP)
 		gap = MIN_GAP;
-- 
2.20.1