[PATCH] powerpc/mm: Fix possible out-of-bounds shift in arch_mmap_rnd()
Kees Cook
keescook at chromium.org
Wed Apr 26 02:08:51 AEST 2017
On Tue, Apr 25, 2017 at 5:09 AM, Michael Ellerman <mpe at ellerman.id.au> wrote:
> The recent patch to add runtime configuration of the ASLR limits added a bug in
> arch_mmap_rnd() where we may shift an integer (32-bits) by up to 33 bits,
> leading to undefined behaviour.
>
> In practice it exhibits as every process seg faulting instantly, presumably
> because the rnd value hasn't been restricited by the modulus at all. We didn't
> notice because it only happens under certain kernel configurations and if the
> number of bits is actually set to a large value.
>
> Fix it by switching to unsigned long.
>
> Fixes: 9fea59bd7ca5 ("powerpc/mm: Add support for runtime configuration of ASLR limits")
> Reported-by: Balbir Singh <bsingharora at gmail.com>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> ---
> arch/powerpc/mm/mmap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
> index 005aa8a44915..9dbd2a733d6b 100644
> --- a/arch/powerpc/mm/mmap.c
> +++ b/arch/powerpc/mm/mmap.c
> @@ -66,7 +66,7 @@ unsigned long arch_mmap_rnd(void)
> if (is_32bit_task())
> shift = mmap_rnd_compat_bits;
> #endif
> - rnd = get_random_long() % (1 << shift);
> + rnd = get_random_long() % (1ul << shift);
>
> return rnd << PAGE_SHIFT;
> }
> --
> 2.7.4
Reviewed-by: Kees Cook <keescook at chromium.org>
-Kees
--
Kees Cook
Pixel Security
More information about the Linuxppc-dev
mailing list