CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520)
This commit is contained in:
Josh Boyer
parent
7e89ce359c
commit
d2fb0bf021
104
ASLR-fix-stack-randomization-on-64-bit-systems.patch
Normal file
104
ASLR-fix-stack-randomization-on-64-bit-systems.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Date: Sat, 14 Feb 2015 09:33:50 -0800
|
||||
Subject: [PATCH] ASLR: fix stack randomization on 64-bit systems
|
||||
|
||||
The issue is that the stack for processes is not properly randomized on 64 bit
|
||||
architectures due to an integer overflow.
|
||||
|
||||
The affected function is randomize_stack_top() in file "fs/binfmt_elf.c":
|
||||
|
||||
static unsigned long randomize_stack_top(unsigned long stack_top)
|
||||
{
|
||||
unsigned int random_variable = 0;
|
||||
|
||||
if ((current->flags & PF_RANDOMIZE) &&
|
||||
!(current->personality & ADDR_NO_RANDOMIZE)) {
|
||||
random_variable = get_random_int() & STACK_RND_MASK;
|
||||
random_variable <<= PAGE_SHIFT;
|
||||
}
|
||||
return PAGE_ALIGN(stack_top) + random_variable;
|
||||
return PAGE_ALIGN(stack_top) - random_variable;
|
||||
}
|
||||
|
||||
Note that, it declares the "random_variable" variable as "unsigned int". Since
|
||||
the result of the shifting operation between STACK_RND_MASK (which is
|
||||
0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
|
||||
|
||||
random_variable <<= PAGE_SHIFT;
|
||||
|
||||
then the two leftmost bits are dropped when storing the result in the
|
||||
"random_variable". This variable shall be at least 34 bits long to hold the
|
||||
(22+12) result.
|
||||
|
||||
These two dropped bits have an impact on the entropy of process stack.
|
||||
Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One
|
||||
fourth of expected entropy).
|
||||
|
||||
This patch restores back the entropy by correcting the types involved in the
|
||||
operations in the functions randomize_stack_top() and stack_maxrandom_size().
|
||||
|
||||
The successful fix can be tested with:
|
||||
$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
|
||||
7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
|
||||
7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
|
||||
7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
|
||||
7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
|
||||
...
|
||||
|
||||
Once corrected, the leading bytes should be between 7ffc and 7fff, rather
|
||||
than always being 7fff.
|
||||
|
||||
CVE-2015-1593
|
||||
|
||||
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
|
||||
[kees: rebase, fix 80 char, clean up commit message, add test example, cve]
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
arch/x86/mm/mmap.c | 6 +++---
|
||||
fs/binfmt_elf.c | 5 +++--
|
||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
|
||||
index 919b91205cd4..df4552bd239e 100644
|
||||
--- a/arch/x86/mm/mmap.c
|
||||
+++ b/arch/x86/mm/mmap.c
|
||||
@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = {
|
||||
.flags = -1,
|
||||
};
|
||||
|
||||
-static unsigned int stack_maxrandom_size(void)
|
||||
+static unsigned long stack_maxrandom_size(void)
|
||||
{
|
||||
- unsigned int max = 0;
|
||||
+ unsigned long max = 0;
|
||||
if ((current->flags & PF_RANDOMIZE) &&
|
||||
!(current->personality & ADDR_NO_RANDOMIZE)) {
|
||||
- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
|
||||
+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
|
||||
}
|
||||
|
||||
return max;
|
||||
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
|
||||
index 02b16910f4c9..995986b8e36b 100644
|
||||
--- a/fs/binfmt_elf.c
|
||||
+++ b/fs/binfmt_elf.c
|
||||
@@ -645,11 +645,12 @@ out:
|
||||
|
||||
static unsigned long randomize_stack_top(unsigned long stack_top)
|
||||
{
|
||||
- unsigned int random_variable = 0;
|
||||
+ unsigned long random_variable = 0;
|
||||
|
||||
if ((current->flags & PF_RANDOMIZE) &&
|
||||
!(current->personality & ADDR_NO_RANDOMIZE)) {
|
||||
- random_variable = get_random_int() & STACK_RND_MASK;
|
||||
+ random_variable = (unsigned long) get_random_int();
|
||||
+ random_variable &= STACK_RND_MASK;
|
||||
random_variable <<= PAGE_SHIFT;
|
||||
}
|
||||
#ifdef CONFIG_STACK_GROWSUP
|
||||
--
|
||||
2.1.0
|
||||
|
||||
@ -617,6 +617,9 @@ Patch26133: ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
|
||||
|
||||
Patch26134: perf-tools-Define-_GNU_SOURCE-on-pthread_attr_setaff.patch
|
||||
|
||||
#CVE-2015-1593 rhbz 1192519 1192520
|
||||
Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
@ -1343,6 +1346,9 @@ ApplyPatch ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
|
||||
|
||||
ApplyPatch perf-tools-Define-_GNU_SOURCE-on-pthread_attr_setaff.patch
|
||||
|
||||
#CVE-2015-1593 rhbz 1192519 1192520
|
||||
ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
@ -2209,6 +2215,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Feb 16 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-1593 stack ASLR integer overflow (rhbz 1192519 1192520)
|
||||
|
||||
* Mon Feb 16 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Minor updates for ARMv7/ARM64
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user