diff options
Diffstat (limited to 'sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch')
| -rw-r--r-- | sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..510c352ac943 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From ad88f96ed3ec9394614f2a43a184158e838bbd2b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 085/113] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.30.0 + |