diff options
| author | Justin M. Forbes <jforbes@redhat.com> | 2016-04-07 12:15:31 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@redhat.com> | 2016-04-07 12:15:31 -0500 |
| commit | 3d917f43607780314b16d33cbc13a8dd367f8c74 (patch) | |
| tree | 1cee9b30face15f6f32bdb08c68fd370e8ae6adb | |
| parent | 394fde452830e4487552df9e93c84e92bd226a9c (diff) | |
| download | kernel-3d917f43607780314b16d33cbc13a8dd367f8c74.tar.gz kernel-3d917f43607780314b16d33cbc13a8dd367f8c74.tar.xz kernel-3d917f43607780314b16d33cbc13a8dd367f8c74.zip | |
Enable Full Randomization on 32bit x86 CVE-2016-3672 (rhbz 1324749 1324750)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch | 83 |
2 files changed, 89 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 358fbe8e5..f45fb30e7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -678,6 +678,9 @@ Patch688: 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch # CVE-2016-3157 rhbz 1315711 1321948 Patch689: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch +# CVE-2016-3672 rhbz 1324749 1324750 +Patch690: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch + # END OF PATCH DEFINITIONS %endif @@ -2121,6 +2124,9 @@ fi # # %changelog +* Thu Apr 07 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- Enable Full Randomization on 32bit x86 CVE-2016-3672 (rhbz 1324749 1324750) + * Thu Mar 31 2016 Josh Boyer <jwboyer@fedoraproject.org> - Add two more patches for CVE-2016-2184 diff --git a/x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch b/x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch new file mode 100644 index 000000000..0776982c1 --- /dev/null +++ b/x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch @@ -0,0 +1,83 @@ +From 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert <hecmargi@upv.es> +Date: Thu, 10 Mar 2016 20:51:00 +0100 +Subject: [PATCH] x86/mm/32: Enable full randomization on i386 and X86_32 + +Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only +the stack and the executable are randomized but not other mmapped files +(libraries, vDSO, etc.). This patch enables randomization for the +libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. + +By default on i386 there are 8 bits for the randomization of the libraries, +vDSO and mmaps which only uses 1MB of VA. + +This patch preserves the original randomness, using 1MB of VA out of 3GB or +4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR. + +The first obvious security benefit is that all objects are randomized (not +only the stack and the executable) in legacy mode which highly increases +the ASLR effectiveness, otherwise the attackers may use these +non-randomized areas. But also sensitive setuid/setgid applications are +more secure because currently, attackers can disable the randomization of +these applications by setting the ulimit stack to "unlimited". This is a +very old and widely known trick to disable the ASLR in i386 which has been +allowed for too long. + +Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE +personality flag, but fortunately this doesn't work on setuid/setgid +applications because there is security checks which clear Security-relevant +flags. + +This patch always randomizes the mmap_legacy_base address, removing the +possibility to disable the ASLR by setting the stack to "unlimited". + +Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es> +Acked-by: Ismael Ripoll Ripoll <iripoll@upv.es> +Acked-by: Kees Cook <keescook@chromium.org> +Acked-by: Arjan van de Ven <arjan@linux.intel.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: akpm@linux-foundation.org +Cc: kees Cook <keescook@chromium.org> +Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/mm/mmap.c | 14 +------------- + 1 file changed, 1 insertion(+), 13 deletions(-) + +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c +index 96bd1e2..389939f 100644 +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd) + } + + /* +- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64 +- * does, but not when emulating X86_32 +- */ +-static unsigned long mmap_legacy_base(unsigned long rnd) +-{ +- if (mmap_is_ia32()) +- return TASK_UNMAPPED_BASE; +- else +- return TASK_UNMAPPED_BASE + rnd; +-} +- +-/* + * This function, called very early during the creation of a new + * process VM image, sets up which VM layout function to use: + */ +@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm) + if (current->flags & PF_RANDOMIZE) + random_factor = arch_mmap_rnd(); + +- mm->mmap_legacy_base = mmap_legacy_base(random_factor); ++ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor; + + if (mmap_is_legacy()) { + mm->mmap_base = mm->mmap_legacy_base; +-- +2.7.3 + |