From 364473e5c59b1d2a2a8c2dd053f9a0013d37110e Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 20 Mar 2012 10:31:52 -0400
Subject: CVE-2012-1568: execshield: predictable ascii armour base address
 (rhbz 804957)

---
 kernel.spec                |  9 +++++-
 shlib_base_randomize.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 shlib_base_randomize.patch

diff --git a/kernel.spec b/kernel.spec
index 21eb9ea24..5526525a8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 4
+%global baserelease 5
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -770,6 +770,9 @@ Patch21304: mm-thp-fix-pmd_bad-triggering.patch
 #rhbz 804007
 Patch21305: mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
 
+#rhbz 804957 CVE-2012-1568
+Patch21306: shlib_base_randomize.patch
+
 Patch21400: unhandled-irqs-switch-to-polling.patch
 
 Patch22000: weird-root-dentry-name-debug.patch
@@ -1484,6 +1487,9 @@ ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch
 #rhbz 804007
 ApplyPatch mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
 
+#rhbz 804957 CVE-2012-1568
+ApplyPatch shlib_base_randomize.patch
+
 ApplyPatch unhandled-irqs-switch-to-polling.patch
 
 ApplyPatch weird-root-dentry-name-debug.patch
@@ -2342,6 +2348,7 @@ fi
 #                 ||     ||
 %changelog
 * Tue Mar 20 2012 Josh Boyer <jwboyer@redhat.com>
+- CVE-2012-1568: execshield: predictable ascii armour base address (rhbz 804957)
 - mac80211: fix possible tid_rx->reorder_timer use after free
   from Stanislaw Gruska (rhbz 804007)
 
diff --git a/shlib_base_randomize.patch b/shlib_base_randomize.patch
new file mode 100644
index 000000000..80e4d644b
--- /dev/null
+++ b/shlib_base_randomize.patch
@@ -0,0 +1,69 @@
+diff -uNrp kernel-3.2.fc16.orig/arch/x86/mm/mmap.c kernel-3.2.fc16.new/arch/x86/mm/mmap.c
+--- kernel-3.2.fc16.orig/arch/x86/mm/mmap.c	2012-03-19 16:47:03.495169091 -0400
++++ kernel-3.2.fc16.new/arch/x86/mm/mmap.c	2012-03-19 16:50:03.574168052 -0400
+@@ -106,6 +106,10 @@ static unsigned long mmap_legacy_base(vo
+                return TASK_UNMAPPED_BASE + mmap_rnd();
+ }
+
++#ifdef CONFIG_X86_32
++  #define SHLIB_BASE             0x00111000
++#endif
++
+ /*
+  * This function, called very early during the creation of a new
+  * process VM image, sets up which VM layout function to use:
+@@ -126,8 +126,10 @@ void arch_pick_mmap_layout(struct mm_str
+ #ifdef CONFIG_X86_32
+ 		if (!(current->personality & READ_IMPLIES_EXEC)
+ 		    && !(__supported_pte_mask & _PAGE_NX)
+-		    && mmap_is_ia32())
++		    && mmap_is_ia32()) {
++			mm->shlib_base = SHLIB_BASE + mmap_rnd();
+ 			mm->get_unmapped_exec_area = arch_get_unmapped_exec_area;
++		}
+ #endif
+ 		mm->unmap_area = arch_unmap_area_topdown;
+ 	}
+diff -uNrp kernel-3.2.fc16.orig/include/linux/mm_types.h kernel-3.2.fc16.new/include/linux/mm_types.h
+--- kernel-3.2.fc16.orig/include/linux/mm_types.h	2012-03-19 16:46:47.382169153 -0400
++++ kernel-3.2.fc16.new/include/linux/mm_types.h	2012-03-19 16:50:40.738168219 -0400
+@@ -300,6 +300,7 @@ struct mm_struct {
+ 	void (*unmap_area) (struct mm_struct *mm, unsigned long addr);
+ #endif
+ 	unsigned long mmap_base;		/* base of mmap area */
++	unsigned long shlib_base;		/* base of lib map area (ASCII armour)*/
+ 	unsigned long task_size;		/* size of task vm space */
+ 	unsigned long cached_hole_size; 	/* if non-zero, the largest hole below free_area_cache */
+ 	unsigned long free_area_cache;		/* first hole of size cached_hole_size or larger */
+diff -uNrp kernel-3.2.fc16.orig/mm/mmap.c kernel-3.2.fc16.new/mm/mmap.c
+--- kernel-3.2.fc16.orig/mm/mmap.c	2012-03-19 16:46:15.791169274 -0400
++++ kernel-3.2.fc16.new/mm/mmap.c	2012-03-19 16:51:37.351166875 -0400
+@@ -1594,8 +1594,6 @@ static bool should_randomize(void)
+ 		!(current->personality & ADDR_NO_RANDOMIZE);
+ }
+ 
+-#define SHLIB_BASE	0x00110000
+-
+ unsigned long
+ arch_get_unmapped_exec_area(struct file *filp, unsigned long addr0,
+ 		unsigned long len0, unsigned long pgoff, unsigned long flags)
+@@ -1612,8 +1610,8 @@ arch_get_unmapped_exec_area(struct file
+ 		return addr;
+ 
+ 	if (!addr)
+-		addr = !should_randomize() ? SHLIB_BASE :
+-			randomize_range(SHLIB_BASE, 0x01000000, len);
++		addr = !should_randomize() ? mm->shlib_base :
++			randomize_range(mm->shlib_base, 0x01000000, len);
+ 
+ 	if (addr) {
+ 		addr = PAGE_ALIGN(addr);
+@@ -1623,7 +1621,7 @@ arch_get_unmapped_exec_area(struct file
+ 			return addr;
+ 	}
+ 
+-	addr = SHLIB_BASE;
++	addr = mm->shlib_base;
+ 	for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
+ 		/* At this point:  (!vma || addr < vma->vm_end). */
+ 		if (TASK_SIZE - len < addr)
-- 
cgit