powerpc/mm: Fix possible out-of-bounds shift in arch_mmap_rnd()
Michael Ellerman
patch-notifications at ellerman.id.au
Thu Apr 27 20:30:54 AEST 2017
On Tue, 2017-04-25 at 12:09:41 UTC, Michael Ellerman wrote:
> The recent patch to add runtime configuration of the ASLR limits added a bug in
> arch_mmap_rnd() where we may shift an integer (32-bits) by up to 33 bits,
> leading to undefined behaviour.
>
> In practice it exhibits as every process seg faulting instantly, presumably
> because the rnd value hasn't been restricited by the modulus at all. We didn't
> notice because it only happens under certain kernel configurations and if the
> number of bits is actually set to a large value.
>
> Fix it by switching to unsigned long.
>
> Fixes: 9fea59bd7ca5 ("powerpc/mm: Add support for runtime configuration of ASLR limits")
> Reported-by: Balbir Singh <bsingharora at gmail.com>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> Reviewed-by: Kees Cook <keescook at chromium.org>
Applied to powerpc next.
https://git.kernel.org/powerpc/c/b409946b2a3c1ddcde75e5f35a77e0
cheers
More information about the Linuxppc-dev
mailing list