From: Greg Kroah-Hartman Date: Tue, 18 Jul 2017 15:27:25 +0000 (+0200) Subject: 4.12-stable patches X-Git-Tag: v4.12.3~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3efcf0372753e0c9157ccb12ca1a42b5ea0bae0b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.12-stable patches added patches: arm-move-elf_et_dyn_base-to-4mb.patch arm64-move-elf_et_dyn_base-to-4gb-4mb.patch binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch powerpc-move-elf_et_dyn_base-to-4gb-4mb.patch s390-reduce-elf_et_dyn_base.patch --- diff --git a/queue-4.12/arm-move-elf_et_dyn_base-to-4mb.patch b/queue-4.12/arm-move-elf_et_dyn_base-to-4mb.patch new file mode 100644 index 00000000000..38e7a7c6b59 --- /dev/null +++ b/queue-4.12/arm-move-elf_et_dyn_base-to-4mb.patch @@ -0,0 +1,71 @@ +From 6a9af90a3bcde217a1c053e135f5f43e5d5fafbd Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 10 Jul 2017 15:52:40 -0700 +Subject: arm: move ELF_ET_DYN_BASE to 4MB + +From: Kees Cook + +commit 6a9af90a3bcde217a1c053e135f5f43e5d5fafbd upstream. + +Now that explicitly executed loaders are loaded in the mmap region, we +have more freedom to decide where we position PIE binaries in the +address space to avoid possible collisions with mmap or stack regions. + +4MB is chosen here mainly to have parity with x86, where this is the +traditional minimum load location, likely to avoid historically +requiring a 4MB page table entry when only a portion of the first 4MB +would be used (since the NULL address is avoided). + +For ARM the position could be 0x8000, the standard ET_EXEC load address, +but that is needlessly close to the NULL address, and anyone running PIE +on 32-bit ARM will have an MMU, so the tight mapping is not needed. + +Link: http://lkml.kernel.org/r/1498154792-49952-2-git-send-email-keescook@chromium.org +Signed-off-by: Kees Cook +Cc: Russell King +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: Martin Schwidefsky +Cc: Heiko Carstens +Cc: James Hogan +Cc: Pratyush Anand +Cc: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Alexander Viro +Cc: Andy Lutomirski +Cc: Daniel Micay +Cc: Dmitry Safonov +Cc: Grzegorz Andrejczuk +Cc: Kees Cook +Cc: Masahiro Yamada +Cc: Qualys Security Advisory +Cc: Rik van Riel +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/elf.h | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/arm/include/asm/elf.h ++++ b/arch/arm/include/asm/elf.h +@@ -112,12 +112,8 @@ int dump_task_regs(struct task_struct *t + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE 4096 + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. */ +- +-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) ++/* This is the base location for PIE (ET_DYN with INTERP) loads. */ ++#define ELF_ET_DYN_BASE 0x400000UL + + /* When the program starts, a1 contains a pointer to a function to be + registered with atexit, as per the SVR4 ABI. A value of 0 means we diff --git a/queue-4.12/arm64-move-elf_et_dyn_base-to-4gb-4mb.patch b/queue-4.12/arm64-move-elf_et_dyn_base-to-4gb-4mb.patch new file mode 100644 index 00000000000..ec850830599 --- /dev/null +++ b/queue-4.12/arm64-move-elf_et_dyn_base-to-4gb-4mb.patch @@ -0,0 +1,61 @@ +From 02445990a96e60a67526510d8b00f7e3d14101c3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 10 Jul 2017 15:52:44 -0700 +Subject: arm64: move ELF_ET_DYN_BASE to 4GB / 4MB + +From: Kees Cook + +commit 02445990a96e60a67526510d8b00f7e3d14101c3 upstream. + +Now that explicitly executed loaders are loaded in the mmap region, we +have more freedom to decide where we position PIE binaries in the +address space to avoid possible collisions with mmap or stack regions. + +For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit +address space for 32-bit pointers. On 32-bit use 4MB, to match ARM. +This could be 0x8000, the standard ET_EXEC load address, but that is +needlessly close to the NULL address, and anyone running arm compat PIE +will have an MMU, so the tight mapping is not needed. + +Link: http://lkml.kernel.org/r/1498251600-132458-4-git-send-email-keescook@chromium.org +Signed-off-by: Kees Cook +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Mark Rutland +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/elf.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -113,12 +113,11 @@ + #define ELF_EXEC_PAGESIZE PAGE_SIZE + + /* +- * This is the location that an ET_DYN program is loaded if exec'ed. Typical +- * use of this is to invoke "./ld.so someprog" to test out a new version of +- * the loader. We need to make sure that it is out of the way of the program +- * that it will "exec", and that there is sufficient room for the brk. ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. + */ +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +@@ -173,7 +172,8 @@ extern int arch_setup_additional_pages(s + + #ifdef CONFIG_COMPAT + +-#define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3) ++/* PIE load location for compat arm. Must match ARM ELF_ET_DYN_BASE. */ ++#define COMPAT_ELF_ET_DYN_BASE 0x000400000UL + + /* AArch32 registers. */ + #define COMPAT_ELF_NGREG 18 diff --git a/queue-4.12/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch b/queue-4.12/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch new file mode 100644 index 00000000000..967632cacd4 --- /dev/null +++ b/queue-4.12/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch @@ -0,0 +1,170 @@ +From eab09532d40090698b05a07c1c87f39fdbc5fab5 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 10 Jul 2017 15:52:37 -0700 +Subject: binfmt_elf: use ELF_ET_DYN_BASE only for PIE + +From: Kees Cook + +commit eab09532d40090698b05a07c1c87f39fdbc5fab5 upstream. + +The ELF_ET_DYN_BASE position was originally intended to keep loaders +away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2 +/bin/cat" might cause the subsequent load of /bin/cat into where the +loader had been loaded.) + +With the advent of PIE (ET_DYN binaries with an INTERP Program Header), +ELF_ET_DYN_BASE continued to be used since the kernel was only looking +at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the +top 1/3rd of the TASK_SIZE, a substantial portion of the address space +is unused. + +For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are +loaded above the mmap region. This means they can be made to collide +(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with +pathological stack regions. + +Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap +region in all cases, and will now additionally avoid programs falling +back to the mmap region by enforcing MAP_FIXED for program loads (i.e. +if it would have collided with the stack, now it will fail to load +instead of falling back to the mmap region). + +To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP) +are loaded into the mmap region, leaving space available for either an +ET_EXEC binary with a fixed location or PIE being loaded into mmap by +the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE, +which means architectures can now safely lower their values without risk +of loaders colliding with their subsequently loaded programs. + +For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use +the entire 32-bit address space for 32-bit pointers. + +Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and +suggestions on how to implement this solution. + +Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR") +Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast +Signed-off-by: Kees Cook +Acked-by: Rik van Riel +Cc: Daniel Micay +Cc: Qualys Security Advisory +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Alexander Viro +Cc: Dmitry Safonov +Cc: Andy Lutomirski +Cc: Grzegorz Andrejczuk +Cc: Masahiro Yamada +Cc: Benjamin Herrenschmidt +Cc: Catalin Marinas +Cc: Heiko Carstens +Cc: James Hogan +Cc: Martin Schwidefsky +Cc: Michael Ellerman +Cc: Paul Mackerras +Cc: Pratyush Anand +Cc: Russell King +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/elf.h | 13 +++++---- + fs/binfmt_elf.c | 59 ++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 58 insertions(+), 14 deletions(-) + +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -245,12 +245,13 @@ extern int force_personality32; + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE 4096 + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. */ +- +-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) ++/* ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. ++ */ ++#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -927,17 +927,60 @@ static int load_elf_binary(struct linux_ + elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE; + + vaddr = elf_ppnt->p_vaddr; ++ /* ++ * If we are loading ET_EXEC or we have already performed ++ * the ET_DYN load_addr calculations, proceed normally. ++ */ + if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) { + elf_flags |= MAP_FIXED; + } else if (loc->elf_ex.e_type == ET_DYN) { +- /* Try and get dynamic programs out of the way of the +- * default mmap base, as well as whatever program they +- * might try to exec. This is because the brk will +- * follow the loader, and is not movable. */ +- load_bias = ELF_ET_DYN_BASE - vaddr; +- if (current->flags & PF_RANDOMIZE) +- load_bias += arch_mmap_rnd(); +- load_bias = ELF_PAGESTART(load_bias); ++ /* ++ * This logic is run once for the first LOAD Program ++ * Header for ET_DYN binaries to calculate the ++ * randomization (load_bias) for all the LOAD ++ * Program Headers, and to calculate the entire ++ * size of the ELF mapping (total_size). (Note that ++ * load_addr_set is set to true later once the ++ * initial mapping is performed.) ++ * ++ * There are effectively two types of ET_DYN ++ * binaries: programs (i.e. PIE: ET_DYN with INTERP) ++ * and loaders (ET_DYN without INTERP, since they ++ * _are_ the ELF interpreter). The loaders must ++ * be loaded away from programs since the program ++ * may otherwise collide with the loader (especially ++ * for ET_EXEC which does not have a randomized ++ * position). For example to handle invocations of ++ * "./ld.so someprog" to test out a new version of ++ * the loader, the subsequent program that the ++ * loader loads must avoid the loader itself, so ++ * they cannot share the same load range. Sufficient ++ * room for the brk must be allocated with the ++ * loader as well, since brk must be available with ++ * the loader. ++ * ++ * Therefore, programs are loaded offset from ++ * ELF_ET_DYN_BASE and loaders are loaded into the ++ * independently randomized mmap region (0 load_bias ++ * without MAP_FIXED). ++ */ ++ if (elf_interpreter) { ++ load_bias = ELF_ET_DYN_BASE; ++ if (current->flags & PF_RANDOMIZE) ++ load_bias += arch_mmap_rnd(); ++ elf_flags |= MAP_FIXED; ++ } else ++ load_bias = 0; ++ ++ /* ++ * Since load_bias is used for all subsequent loading ++ * calculations, we must lower it by the first vaddr ++ * so that the remaining calculations based on the ++ * ELF vaddrs will be correctly offset. The result ++ * is then page aligned. ++ */ ++ load_bias = ELF_PAGESTART(load_bias - vaddr); ++ + total_size = total_mapping_size(elf_phdata, + loc->elf_ex.e_phnum); + if (!total_size) { diff --git a/queue-4.12/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch b/queue-4.12/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch new file mode 100644 index 00000000000..0ec01d2a69c --- /dev/null +++ b/queue-4.12/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch @@ -0,0 +1,67 @@ +From 8d81ae05d0176da1c54aeaed697fa34be5c5575e Mon Sep 17 00:00:00 2001 +From: Cyril Bur +Date: Mon, 10 Jul 2017 15:52:21 -0700 +Subject: checkpatch: silence perl 5.26.0 unescaped left brace warnings + +From: Cyril Bur + +commit 8d81ae05d0176da1c54aeaed697fa34be5c5575e upstream. + +As of perl 5, version 26, subversion 0 (v5.26.0) some new warnings have +occurred when running checkpatch. + +Unescaped left brace in regex is deprecated here (and will be fatal in +Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){ +<-- HERE \s*/ at scripts/checkpatch.pl line 3544. + +Unescaped left brace in regex is deprecated here (and will be fatal in +Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){ +<-- HERE \s*/ at scripts/checkpatch.pl line 3885. + +Unescaped left brace in regex is deprecated here (and will be fatal in +Perl 5.30), passed through in regex; marked by <-- HERE in +m/^(\+.*(?:do|\))){ <-- HERE / at scripts/checkpatch.pl line 4374. + +It seems perfectly reasonable to do as the warning suggests and simply +escape the left brace in these three locations. + +Link: http://lkml.kernel.org/r/20170607060135.17384-1-cyrilbur@gmail.com +Signed-off-by: Cyril Bur +Acked-by: Joe Perches +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/checkpatch.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -3541,7 +3541,7 @@ sub process { + $fixedline =~ s/\s*=\s*$/ = {/; + fix_insert_line($fixlinenr, $fixedline); + $fixedline = $line; +- $fixedline =~ s/^(.\s*){\s*/$1/; ++ $fixedline =~ s/^(.\s*)\{\s*/$1/; + fix_insert_line($fixlinenr, $fixedline); + } + } +@@ -3882,7 +3882,7 @@ sub process { + my $fixedline = rtrim($prevrawline) . " {"; + fix_insert_line($fixlinenr, $fixedline); + $fixedline = $rawline; +- $fixedline =~ s/^(.\s*){\s*/$1\t/; ++ $fixedline =~ s/^(.\s*)\{\s*/$1\t/; + if ($fixedline !~ /^\+\s*$/) { + fix_insert_line($fixlinenr, $fixedline); + } +@@ -4371,7 +4371,7 @@ sub process { + if (ERROR("SPACING", + "space required before the open brace '{'\n" . $herecurr) && + $fix) { +- $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\))){/$1 {/; ++ $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\)))\{/$1 {/; + } + } + diff --git a/queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch b/queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch deleted file mode 100644 index 4190e80e926..00000000000 --- a/queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch +++ /dev/null @@ -1,71 +0,0 @@ -From b49defe83659cefbb1763d541e779da32594ab10 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Fri, 30 Jun 2017 13:25:45 +0200 -Subject: kvm: avoid unused variable warning for UP builds - -From: Paolo Bonzini - -commit b49defe83659cefbb1763d541e779da32594ab10 upstream. - -The uniprocessor version of smp_call_function_many does not evaluate -all of its argument, and the compiler emits a warning about "wait" -being unused. This breaks the build on architectures for which -"-Werror" is enabled by default. - -Work around it by moving the invocation of smp_call_function_many to -its own inline function. - -Reported-by: Paul Mackerras -Fixes: 7a97cec26b94c909f4cbad2dc3186af3e457a522 -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman - ---- - virt/kvm/kvm_main.c | 24 +++++++++++++++--------- - 1 file changed, 15 insertions(+), 9 deletions(-) - ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -187,12 +187,23 @@ static void ack_flush(void *_completed) - { - } - -+static inline bool kvm_kick_many_cpus(const struct cpumask *cpus, bool wait) -+{ -+ if (unlikely(!cpus)) -+ cpus = cpu_online_mask; -+ -+ if (cpumask_empty(cpus)) -+ return false; -+ -+ smp_call_function_many(cpus, ack_flush, NULL, wait); -+ return true; -+} -+ - bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req) - { - int i, cpu, me; - cpumask_var_t cpus; -- bool called = true; -- bool wait = req & KVM_REQUEST_WAIT; -+ bool called; - struct kvm_vcpu *vcpu; - - zalloc_cpumask_var(&cpus, GFP_ATOMIC); -@@ -207,14 +218,9 @@ bool kvm_make_all_cpus_request(struct kv - - if (cpus != NULL && cpu != -1 && cpu != me && - kvm_request_needs_ipi(vcpu, req)) -- cpumask_set_cpu(cpu, cpus); -+ __cpumask_set_cpu(cpu, cpus); - } -- if (unlikely(cpus == NULL)) -- smp_call_function_many(cpu_online_mask, ack_flush, NULL, wait); -- else if (!cpumask_empty(cpus)) -- smp_call_function_many(cpus, ack_flush, NULL, wait); -- else -- called = false; -+ called = kvm_kick_many_cpus(cpus, !!(req & KVM_REQUEST_WAIT)); - put_cpu(); - free_cpumask_var(cpus); - return called; diff --git a/queue-4.12/powerpc-move-elf_et_dyn_base-to-4gb-4mb.patch b/queue-4.12/powerpc-move-elf_et_dyn_base-to-4gb-4mb.patch new file mode 100644 index 00000000000..97a65a17bf1 --- /dev/null +++ b/queue-4.12/powerpc-move-elf_et_dyn_base-to-4gb-4mb.patch @@ -0,0 +1,63 @@ +From 47ebb09d54856500c5a5e14824781902b3bb738e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 10 Jul 2017 15:52:47 -0700 +Subject: powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB + +From: Kees Cook + +commit 47ebb09d54856500c5a5e14824781902b3bb738e upstream. + +Now that explicitly executed loaders are loaded in the mmap region, we +have more freedom to decide where we position PIE binaries in the +address space to avoid possible collisions with mmap or stack regions. + +For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit +address space for 32-bit pointers. On 32-bit use 4MB, which is the +traditional x86 minimum load location, likely to avoid historically +requiring a 4MB page table entry when only a portion of the first 4MB +would be used (since the NULL address is avoided). + +Link: http://lkml.kernel.org/r/1498154792-49952-4-git-send-email-keescook@chromium.org +Signed-off-by: Kees Cook +Tested-by: Michael Ellerman +Acked-by: Michael Ellerman +Cc: Russell King +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Martin Schwidefsky +Cc: Heiko Carstens +Cc: James Hogan +Cc: Pratyush Anand +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/elf.h | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/elf.h ++++ b/arch/powerpc/include/asm/elf.h +@@ -23,12 +23,13 @@ + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE PAGE_SIZE + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. */ +- +-#define ELF_ET_DYN_BASE 0x20000000 ++/* ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. ++ */ ++#define ELF_ET_DYN_BASE (is_32bit_task() ? 0x000400000UL : \ ++ 0x100000000UL) + + #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0) + diff --git a/queue-4.12/s390-reduce-elf_et_dyn_base.patch b/queue-4.12/s390-reduce-elf_et_dyn_base.patch new file mode 100644 index 00000000000..f246ae1da13 --- /dev/null +++ b/queue-4.12/s390-reduce-elf_et_dyn_base.patch @@ -0,0 +1,66 @@ +From a73dc5370e153ac63718d850bddf0c9aa9d871e6 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 10 Jul 2017 15:52:51 -0700 +Subject: s390: reduce ELF_ET_DYN_BASE + +From: Kees Cook + +commit a73dc5370e153ac63718d850bddf0c9aa9d871e6 upstream. + +Now that explicitly executed loaders are loaded in the mmap region, we +have more freedom to decide where we position PIE binaries in the +address space to avoid possible collisions with mmap or stack regions. + +For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit +address space for 32-bit pointers. On 32-bit use 4MB, which is the +traditional x86 minimum load location, likely to avoid historically +requiring a 4MB page table entry when only a portion of the first 4MB +would be used (since the NULL address is avoided). For s390 the +position could be 0x10000, but that is needlessly close to the NULL +address. + +Link: http://lkml.kernel.org/r/1498154792-49952-5-git-send-email-keescook@chromium.org +Signed-off-by: Kees Cook +Cc: Russell King +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: Martin Schwidefsky +Cc: Heiko Carstens +Cc: James Hogan +Cc: Pratyush Anand +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/elf.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/arch/s390/include/asm/elf.h ++++ b/arch/s390/include/asm/elf.h +@@ -161,14 +161,13 @@ extern unsigned int vdso_enabled; + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE 4096 + +-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical +- use of this is to invoke "./ld.so someprog" to test out a new version of +- the loader. We need to make sure that it is out of the way of the program +- that it will "exec", and that there is sufficient room for the brk. 64-bit +- tasks are aligned to 4GB. */ +-#define ELF_ET_DYN_BASE (is_compat_task() ? \ +- (STACK_TOP / 3 * 2) : \ +- (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1)) ++/* ++ * This is the base location for PIE (ET_DYN with INTERP) loads. On ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * space open for things that want to use the area for 32-bit pointers. ++ */ ++#define ELF_ET_DYN_BASE (is_compat_task() ? 0x000400000UL : \ ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. */ diff --git a/queue-4.12/series b/queue-4.12/series index 9a16a8b5a65..c3e10dec091 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -33,7 +33,6 @@ drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch kvm-arm64-fix-phy-counter-access-failure-in-guest.patch kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch kvm-vfio-decouple-only-when-we-match-a-group.patch -kvm-avoid-unused-variable-warning-for-up-builds.patch irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch parisc-use-compat_sys_keyctl.patch @@ -45,3 +44,9 @@ thp-mm-fix-crash-due-race-in-madv_free-handling.patch kernel-extable.c-mark-core_kernel_text-notrace.patch mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch +checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch +binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch +arm-move-elf_et_dyn_base-to-4mb.patch +arm64-move-elf_et_dyn_base-to-4gb-4mb.patch +powerpc-move-elf_et_dyn_base-to-4gb-4mb.patch +s390-reduce-elf_et_dyn_base.patch