Bug 444611 - kernel doesn't honor ADDR_NO_RANDOMIZE for stack
kernel doesn't honor ADDR_NO_RANDOMIZE for stack
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Bryn M. Reeves
Martin Jenner
:
Depends On:
Blocks: 391501 KernelPrio5.3
  Show dependency treegraph
 
Reported: 2008-04-29 11:07 EDT by Bryn M. Reeves
Modified: 2010-10-22 20:34 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:08:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Test case illustrating stack randomization (150 bytes, text/plain)
2008-04-29 11:10 EDT, Bryn M. Reeves
no flags Details
Disable stack alignment randomization for ADDR_NO_RANDOMIZE processes (1.84 KB, patch)
2008-04-29 12:00 EDT, Bryn M. Reeves
no flags Details | Diff

  None (edit)
Description Bryn M. Reeves 2008-04-29 11:07:00 EDT
Description of problem:
The kernel doesn't fully honor the ADDR_NO_RANDOMIZE flag for processes that set
it, e.g. via setarch -R.

Although the general randomization from fs/binfmt_elf.c:randomize_stack_top() is
disabled, randomization is also applied to the stack alignment in
arch_align_stack(), e.g.:

unsigned long arch_align_stack(unsigned long sp)
{
        if (randomize_va_space)
                sp -= get_random_int() % 8192;
        return sp & ~0xf;
}

This must also be conditional on PF_RANDOMIZE/ADDR_NO_RANDOMIZE or it will lead
to stack randomization over an 8k range (less than normal but still a problem
for debugging some apps).

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. compile & repeatedly run the following test case:
    #include <stdio.h>
    #include <stdlib.h>

    int main(){
        void *a;
        a=malloc(sizeof(int));
        printf("%p %pn", &a, a);
    }
2. E.g.:

    for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done

Actual results:
$ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done
0x7fffffffc378 0x601010
0x7fffffffdc48 0x601010
0x7fffffffbe28 0x601010
0x7fffffffde58 0x601010
0x7fffffffbe18 0x601010
0x7fffffffc0b8 0x601010
0x7fffffffbbb8 0x601010
0x7fffffffdc88 0x601010
0x7fffffffc478 0x601010
0x7fffffffc5e8 0x601010


Expected results:
$ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010


Additional info:
Fixed upstream in commit c16b63e09d9d03158e0a92e961234e94c4862620:
Author: Andi Kleen <ak@suse.de>
Date:   Tue Sep 26 10:52:28 2006 +0200

    [PATCH] i386/x86-64: Don't randomize stack top when no randomization
personality is set
    
    Based on patch from Frank van Maarseveen <frankvm@frankvm.com>, but
    extended.
    
    Signed-off-by: Andi Kleen <ak@suse.de>
Comment 1 Bryn M. Reeves 2008-04-29 11:10:32 EDT
Created attachment 304126 [details]
Test case illustrating stack randomization
Comment 3 Bryn M. Reeves 2008-04-29 12:00:04 EDT
Created attachment 304135 [details]
Disable stack alignment randomization for ADDR_NO_RANDOMIZE processes

Untested rediff of the upstream patch for RHEL5 git HEAD.
Comment 4 Ric Wheeler 2008-07-24 11:40:28 EDT
Setting devel_ack for Bryn.
Comment 7 Don Zickus 2008-07-30 20:49:23 EDT
in kernel-2.6.18-101.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 12 errata-xmlrpc 2009-01-20 15:08:26 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html

Note You need to log in before you can comment on or make changes to this bug.