You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

49 lines
2.6 KiB

  1. 1. Design
  2. The goal of RANDUSTACK is to introduce randomness into the userland stack
  3. addresses of a task.
  4. Every task has a userland stack that is created during execve() (and copied
  5. in fork() into the child). This stack is mandatory because this is the way
  6. the kernel can pass the arguments and the environment to the new task. The
  7. kernel normally creates the stack at the end of the userland address space
  8. so that it can grow downwards later. If the application is multithreaded,
  9. thread stacks are created by userland using the mmap() interface and hence
  10. they are subject to RANDMMAP not RANDUSTACK (or rather, they would be were
  11. it not for a 'feature' in linuxthreads that effectively prevents thread
  12. stack randomization for now). Linuxthreads has another 'feature' that
  13. prevents one from arbitrarily moving the task's stack as it assumes that
  14. this stack will always have the highest address in the address space and
  15. thread stacks will go below that.
  16. 2. Implementation
  17. RANDUSTACK randomizes every task's userland stack on task creation. Since
  18. the userland stack is created in two steps (from PaX's point of view),
  19. randomization is applied in two steps as well.
  20. In the first step the kernel allocates and populates pages for the stack
  21. then in the second step it maps the pages into the task's address space.
  22. The first step begins in fs/exec.c in the do_execve() function. The kernel
  23. uses a temporary stack pointer stored in bprm.p to track the data copied
  24. on the would-be stack pages, this is where PaX applies the first part of
  25. the randomization: on i386 bits 2-11 are randomized resulting in a maximum
  26. of 4 kB shift. Since at this point no information is available about the
  27. new task, we cannot apply this randomization selectively.
  28. The second step occurs when setup_arg_pages() gets called: this is where
  29. the kernel maps the previously populated physical stack pages into the new
  30. task's address space. Normally the bottom of the stack goes at STACK_TOP,
  31. PaX modifies this constant in include/asm-i386/a.out.h to include a random
  32. shift (delta_stack) in bits 12-27. This results in an additional maximum
  33. shift of 256 MB. At this point we know enough already to be able to apply
  34. this randomization selectively.
  35. The end result of the randomization is that data which was copied on the
  36. stack before setup_arg_pages() has bits 2-27 randomized (26 bits), the rest
  37. has bits 4-27 randomized (24 bits) because the create_elf_tables() function
  38. in fs/binfmt_elf.c aligns the stack pointer on a 16 byte boundary, that is,
  39. it discards the randomization in bits 2-3.