powerpc/mm: Fix possible out-of-bounds shift in arch_mmap_rnd()

Michael Ellerman patch-notifications at ellerman.id.au
Thu Apr 27 20:30:54 AEST 2017

On Tue, 2017-04-25 at 12:09:41 UTC, Michael Ellerman wrote:
> The recent patch to add runtime configuration of the ASLR limits added a bug in
> arch_mmap_rnd() where we may shift an integer (32-bits) by up to 33 bits,
> leading to undefined behaviour.
> In practice it exhibits as every process seg faulting instantly, presumably
> because the rnd value hasn't been restricited by the modulus at all. We didn't
> notice because it only happens under certain kernel configurations and if the
> number of bits is actually set to a large value.
> Fix it by switching to unsigned long.
> Fixes: 9fea59bd7ca5 ("powerpc/mm: Add support for runtime configuration of ASLR limits")
> Reported-by: Balbir Singh <bsingharora at gmail.com>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> Reviewed-by: Kees Cook <keescook at chromium.org>

Applied to powerpc next.



More information about the Linuxppc-dev mailing list