diff options
Diffstat (limited to 'sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch')
| -rw-r--r-- | sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..664cbb9d96dc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From b755a10376071bb32f3b0707c2c72aad777da3c9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 086/113] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.30.0 + |