Bug 444611
| Summary: | kernel doesn't honor ADDR_NO_RANDOMIZE for stack | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Bryn M. Reeves <bmr> | ||||||
| Component: | kernel | Assignee: | Bryn M. Reeves <bmr> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 5.2 | CC: | tao | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-01-20 20:08:26 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 391501, 448732 | ||||||||
| Attachments: |
|
||||||||
Created attachment 304126 [details]
Test case illustrating stack randomization
Created attachment 304135 [details]
Disable stack alignment randomization for ADDR_NO_RANDOMIZE processes
Untested rediff of the upstream patch for RHEL5 git HEAD.
Setting devel_ack for Bryn. in kernel-2.6.18-101.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html |
Description of problem: The kernel doesn't fully honor the ADDR_NO_RANDOMIZE flag for processes that set it, e.g. via setarch -R. Although the general randomization from fs/binfmt_elf.c:randomize_stack_top() is disabled, randomization is also applied to the stack alignment in arch_align_stack(), e.g.: unsigned long arch_align_stack(unsigned long sp) { if (randomize_va_space) sp -= get_random_int() % 8192; return sp & ~0xf; } This must also be conditional on PF_RANDOMIZE/ADDR_NO_RANDOMIZE or it will lead to stack randomization over an 8k range (less than normal but still a problem for debugging some apps). Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. compile & repeatedly run the following test case: #include <stdio.h> #include <stdlib.h> int main(){ void *a; a=malloc(sizeof(int)); printf("%p %pn", &a, a); } 2. E.g.: for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done Actual results: $ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done 0x7fffffffc378 0x601010 0x7fffffffdc48 0x601010 0x7fffffffbe28 0x601010 0x7fffffffde58 0x601010 0x7fffffffbe18 0x601010 0x7fffffffc0b8 0x601010 0x7fffffffbbb8 0x601010 0x7fffffffdc88 0x601010 0x7fffffffc478 0x601010 0x7fffffffc5e8 0x601010 Expected results: $ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 Additional info: Fixed upstream in commit c16b63e09d9d03158e0a92e961234e94c4862620: Author: Andi Kleen <ak> Date: Tue Sep 26 10:52:28 2006 +0200 [PATCH] i386/x86-64: Don't randomize stack top when no randomization personality is set Based on patch from Frank van Maarseveen <frankvm>, but extended. Signed-off-by: Andi Kleen <ak>