Bug 444611 - kernel doesn't honor ADDR_NO_RANDOMIZE for stack
Summary: kernel doesn't honor ADDR_NO_RANDOMIZE for stack
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Bryn M. Reeves
QA Contact: Martin Jenner
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 391501 KernelPrio5.3
TreeView+ depends on / blocked
 
Reported: 2008-04-29 15:07 UTC by Bryn M. Reeves
Modified: 2018-10-20 01:03 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2009-01-20 20:08:26 UTC


Attachments (Terms of Use)
Test case illustrating stack randomization (150 bytes, text/plain)
2008-04-29 15:10 UTC, Bryn M. Reeves
no flags Details
Disable stack alignment randomization for ADDR_NO_RANDOMIZE processes (1.84 KB, patch)
2008-04-29 16:00 UTC, Bryn M. Reeves
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0225 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.3 kernel security and bug fix update 2009-01-20 16:06:24 UTC

Description Bryn M. Reeves 2008-04-29 15:07:00 UTC
Description of problem:
The kernel doesn't fully honor the ADDR_NO_RANDOMIZE flag for processes that set
it, e.g. via setarch -R.

Although the general randomization from fs/binfmt_elf.c:randomize_stack_top() is
disabled, randomization is also applied to the stack alignment in
arch_align_stack(), e.g.:

unsigned long arch_align_stack(unsigned long sp)
{
        if (randomize_va_space)
                sp -= get_random_int() % 8192;
        return sp & ~0xf;
}

This must also be conditional on PF_RANDOMIZE/ADDR_NO_RANDOMIZE or it will lead
to stack randomization over an 8k range (less than normal but still a problem
for debugging some apps).

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. compile & repeatedly run the following test case:
    #include <stdio.h>
    #include <stdlib.h>

    int main(){
        void *a;
        a=malloc(sizeof(int));
        printf("%p %pn", &a, a);
    }
2. E.g.:

    for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done

Actual results:
$ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done
0x7fffffffc378 0x601010
0x7fffffffdc48 0x601010
0x7fffffffbe28 0x601010
0x7fffffffde58 0x601010
0x7fffffffbe18 0x601010
0x7fffffffc0b8 0x601010
0x7fffffffbbb8 0x601010
0x7fffffffdc88 0x601010
0x7fffffffc478 0x601010
0x7fffffffc5e8 0x601010


Expected results:
$ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010
0x7fffffffe1b8 0x601010


Additional info:
Fixed upstream in commit c16b63e09d9d03158e0a92e961234e94c4862620:
Author: Andi Kleen <ak@suse.de>
Date:   Tue Sep 26 10:52:28 2006 +0200

    [PATCH] i386/x86-64: Don't randomize stack top when no randomization
personality is set
    
    Based on patch from Frank van Maarseveen <frankvm@frankvm.com>, but
    extended.
    
    Signed-off-by: Andi Kleen <ak@suse.de>

Comment 1 Bryn M. Reeves 2008-04-29 15:10:32 UTC
Created attachment 304126 [details]
Test case illustrating stack randomization

Comment 3 Bryn M. Reeves 2008-04-29 16:00:04 UTC
Created attachment 304135 [details]
Disable stack alignment randomization for ADDR_NO_RANDOMIZE processes

Untested rediff of the upstream patch for RHEL5 git HEAD.

Comment 4 Ric Wheeler 2008-07-24 15:40:28 UTC
Setting devel_ack for Bryn.

Comment 7 Don Zickus 2008-07-31 00:49:23 UTC
in kernel-2.6.18-101.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 12 errata-xmlrpc 2009-01-20 20:08:26 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html


Note You need to log in before you can comment on or make changes to this bug.