On Tue, 2017-04-25 at 12:09:41 UTC, Michael Ellerman wrote:
> The recent patch to add runtime configuration of the ASLR limits added a bug
> in
> arch_mmap_rnd() where we may shift an integer (32-bits) by up to 33 bits,
> leading to undefined behaviour.
>
> In practice it exhibits as every process seg faulting instantly, presumably
> because the rnd value hasn't been restricited by the modulus at all. We didn't
> notice because it only happens under certain kernel configurations and if the
> number of bits is actually set to a large value.
>
> Fix it by switching to unsigned long.
>
> Fixes: 9fea59bd7ca5 ("powerpc/mm: Add support for runtime configuration of
> ASLR limits")
> Reported-by: Balbir Singh <[email protected]>
> Signed-off-by: Michael Ellerman <[email protected]>
> Reviewed-by: Kees Cook <[email protected]>
Applied to powerpc next.
https://git.kernel.org/powerpc/c/b409946b2a3c1ddcde75e5f35a77e0
cheers
