Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
554
stars
55
forks
source link
Stack's lower bits are randomized despite ADDR_NO_RANDOMIZE #52
This results in the lower bits of the stack being randomized in both linux and
linux-hardened.
Commit 533d2e008592cc4dc0a4b2e28716555328a3ebae randomizes the stack a second
time. This code, only checks for randomize_va_space:
if (randomize_va_space)
bprm->p ^= get_random_int() & ~PAGE_MASK;
I assume this commit exists since arch_align_stack is not defined for every
architecture. Only x86, aarch64, ppc, s390, mips and um. (most notably: arm
does not)
cf. arch/um/kernel/process.c:
/*
* Only x86 and x86_64 have an arch_align_stack().
* All other arches have "#define arch_align_stack(x) (x)"
* in their asm/exec.h
*/
Can we check the ADDR_NO_RANDOMIZE personality before xoring the stack pointer
with a random value?
Issue
The stack's lower bits are randomized when
randomize_va_space
is not 0 regardless of theADDR_NO_RANDOMIZE
personality.This is inconvenient when debugging software. It requires to turn off ASLR on the whole system to have deterministic stack addresses.
Test
This can be tested with the following code :
On linux-hardened
On a vanilla kernel
Root cause
setup_arg_pages
infs/exec.c
callsarch_align_stack
(unlessCONFIG_STACK_GROWS_UP
is set).arch_align_stack
checks bothrandomize_va_space
andADDR_NO_RANDOMIZE
:This results in the lower bits of the stack being randomized in both linux and linux-hardened.
Commit 533d2e008592cc4dc0a4b2e28716555328a3ebae randomizes the stack a second time. This code, only checks for
randomize_va_space
:I assume this commit exists since
arch_align_stack
is not defined for every architecture. Only x86, aarch64, ppc, s390, mips and um. (most notably: arm does not)cf.
arch/um/kernel/process.c
:Can we check the
ADDR_NO_RANDOMIZE
personality before xoring the stack pointer with a random value?