Description of problem: The kernel doesn't fully honor the ADDR_NO_RANDOMIZE flag for processes that set it, e.g. via setarch -R. Although the general randomization from fs/binfmt_elf.c:randomize_stack_top() is disabled, randomization is also applied to the stack alignment in arch_align_stack(), e.g.: unsigned long arch_align_stack(unsigned long sp) { if (randomize_va_space) sp -= get_random_int() % 8192; return sp & ~0xf; } This must also be conditional on PF_RANDOMIZE/ADDR_NO_RANDOMIZE or it will lead to stack randomization over an 8k range (less than normal but still a problem for debugging some apps). Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. compile & repeatedly run the following test case: #include <stdio.h> #include <stdlib.h> int main(){ void *a; a=malloc(sizeof(int)); printf("%p %pn", &a, a); } 2. E.g.: for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done Actual results: $ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done 0x7fffffffc378 0x601010 0x7fffffffdc48 0x601010 0x7fffffffbe28 0x601010 0x7fffffffde58 0x601010 0x7fffffffbe18 0x601010 0x7fffffffc0b8 0x601010 0x7fffffffbbb8 0x601010 0x7fffffffdc88 0x601010 0x7fffffffc478 0x601010 0x7fffffffc5e8 0x601010 Expected results: $ for i in `seq 1 10`;do setarch x86_64 -R ./a.out ;done 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 0x7fffffffe1b8 0x601010 Additional info: Fixed upstream in commit c16b63e09d9d03158e0a92e961234e94c4862620: Author: Andi Kleen <ak> Date: Tue Sep 26 10:52:28 2006 +0200 [PATCH] i386/x86-64: Don't randomize stack top when no randomization personality is set Based on patch from Frank van Maarseveen <frankvm>, but extended. Signed-off-by: Andi Kleen <ak>
Created attachment 304126 [details] Test case illustrating stack randomization
Created attachment 304135 [details] Disable stack alignment randomization for ADDR_NO_RANDOMIZE processes Untested rediff of the upstream patch for RHEL5 git HEAD.
Setting devel_ack for Bryn.
in kernel-2.6.18-101.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html