2015-11-26 22:59:54

by Dan Cashman

[permalink] [raw]
Subject: [PATCH v4 0/4] Allow customizable random offset to mmap_base address.

Address Space Layout Randomization (ASLR) provides a barrier to exploitation of user-space processes in the presence of security vulnerabilities by making it more difficult to find desired code/data which could help an attack. This is done by adding a random offset to the location of regions in the process address space, with a greater range of potential offset values corresponding to better protection/a larger search-space for brute force, but also to greater potential for fragmentation.

The offset added to the mmap_base address, which provides the basis for the majority of the mappings for a process, is set once on process exec in arch_pick_mmap_layout() and is done via hard-coded per-arch values, which reflect, hopefully, the best compromise for all systems. The trade-off between increased entropy in the offset value generation and the corresponding increased variability in address space fragmentation is not absolute, however, and some platforms may tolerate higher amounts of entropy. This patch introduces both new Kconfig values and a sysctl interface which may be used to change the amount of entropy used for offset generation on a system.

The direct motivation for this change was in response to the libstagefright vulnerabilities that affected Android, specifically to information provided by Google's project zero at:

http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html

The attack presented therein, by Google's project zero, specifically targeted the limited randomness used to generate the offset added to the mmap_base address in order to craft a brute-force-based attack. Concretely, the attack was against the mediaserver process, which was limited to respawning every 5 seconds, on an arm device. The hard-coded 8 bits used resulted in an average expected success rate of defeating the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a piece). With this patch, and an accompanying increase in the entropy value to 16 bits, the same attack would take an average expected time of over 45 hours (32768 tries), which makes it both less feasible and more likely to be noticed.

The introduced Kconfig and sysctl options are limited by per-arch minimum and maximum values, the minimum of which was chosen to match the current hard-coded value and the maximum of which was chosen so as to give the greatest flexibility without generating an invalid mmap_base address, generally a 3-4 bits less than the number of bits in the user-space accessible virtual address space.

When decided whether or not to change the default value, a system developer should consider that mmap_base address could be placed anywhere up to 2^(value) bits away from the non-randomized location, which would introduce variable-sized areas above and below the mmap_base address such that the maximum vm_area_struct size may be reduced, preventing very large allocations.

Changes in v4:
[all]
* changed signed-off to [email protected] from [email protected]

[1/4]
* mark min/max variables as 'const'
* mark rnd_bits variables as '__read_mostly'
* add default option for compat other than min
* change docs to /proc/sys/vm from /proc/sys/vm
* change procfs perms to 600

[3/4]
* added arm64 ifdef COMPAT to avoid compilation error
* added values for arm64 16k pages
* changed arm64 config ARCH_VA_BITS to ARM64_VA_BITS
* added 36 and 47 ARM64_VA_BITS defaults

not (yet) addressed:
* changing config/procfs value to be page-size agnostic
* changing makefile to avoid complicated config defaults
* removing unsupported arm64 page and VA_BITS combos
* mips, powerpc, s390

dcashman (4):
mm: mmap: Add new /proc tunable for mmap_base ASLR.
arm: mm: support ARCH_MMAP_RND_BITS.
arm64: mm: support ARCH_MMAP_RND_BITS.
x86: mm: support ARCH_MMAP_RND_BITS.

Documentation/sysctl/vm.txt | 29 +++++++++++++++++++
arch/Kconfig | 68 +++++++++++++++++++++++++++++++++++++++++++++
arch/arm/Kconfig | 10 +++++++
arch/arm/mm/mmap.c | 3 +-
arch/arm64/Kconfig | 31 +++++++++++++++++++++
arch/arm64/mm/mmap.c | 8 ++++--
arch/x86/Kconfig | 16 +++++++++++
arch/x86/mm/mmap.c | 12 ++++----
include/linux/mm.h | 11 ++++++++
kernel/sysctl.c | 22 +++++++++++++++
mm/mmap.c | 12 ++++++++
11 files changed, 212 insertions(+), 10 deletions(-)

--
2.6.0.rc2.230.g3dd15c0


2015-11-26 23:00:47

by Dan Cashman

[permalink] [raw]
Subject: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

ASLR only uses as few as 8 bits to generate the random offset for the
mmap base address on 32 bit architectures. This value was chosen to
prevent a poorly chosen value from dividing the address space in such
a way as to prevent large allocations. This may not be an issue on all
platforms. Allow the specification of a minimum number of bits so that
platforms desiring greater ASLR protection may determine where to place
the trade-off.

Signed-off-by: Daniel Cashman <[email protected]>
---
Documentation/sysctl/vm.txt | 29 +++++++++++++++++++
arch/Kconfig | 68 +++++++++++++++++++++++++++++++++++++++++++++
include/linux/mm.h | 11 ++++++++
kernel/sysctl.c | 22 +++++++++++++++
mm/mmap.c | 12 ++++++++
5 files changed, 142 insertions(+)

diff --git a/Documentation/sysctl/vm.txt b/Documentation/sysctl/vm.txt
index f72370b..ee763f3 100644
--- a/Documentation/sysctl/vm.txt
+++ b/Documentation/sysctl/vm.txt
@@ -42,6 +42,8 @@ Currently, these files are in /proc/sys/vm:
- min_slab_ratio
- min_unmapped_ratio
- mmap_min_addr
+- mmap_rnd_bits
+- mmap_rnd_compat_bits
- nr_hugepages
- nr_overcommit_hugepages
- nr_trim_pages (only if CONFIG_MMU=n)
@@ -485,6 +487,33 @@ against future potential kernel bugs.

==============================================================

+mmap_rnd_bits:
+
+This value can be used to select the number of bits to use to
+determine the random offset to the base address of vma regions
+resulting from mmap allocations on architectures which support
+tuning address space randomization. This value will be bounded
+by the architecture's minimum and maximum supported values.
+
+This value can be changed after boot using the
+/proc/sys/vm/mmap_rnd_bits tunable
+
+==============================================================
+
+mmap_rnd_compat_bits:
+
+This value can be used to select the number of bits to use to
+determine the random offset to the base address of vma regions
+resulting from mmap allocations for applications run in
+compatibility mode on architectures which support tuning address
+space randomization. This value will be bounded by the
+architecture's minimum and maximum supported values.
+
+This value can be changed after boot using the
+/proc/sys/vm/mmap_rnd_compat_bits tunable
+
+==============================================================
+
nr_hugepages

Change the minimum size of the hugepage pool.
diff --git a/arch/Kconfig b/arch/Kconfig
index 4e949e5..237f1c5 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -511,6 +511,74 @@ config ARCH_HAS_ELF_RANDOMIZE
- arch_mmap_rnd()
- arch_randomize_brk()

+config HAVE_ARCH_MMAP_RND_BITS
+ bool
+ help
+ An arch should select this symbol if it supports setting a variable
+ number of bits for use in establishing the base address for mmap
+ allocations and provides values for both:
+ - ARCH_MMAP_RND_BITS_MIN
+ - ARCH_MMAP_RND_BITS_MAX
+
+config ARCH_MMAP_RND_BITS_MIN
+ int
+
+config ARCH_MMAP_RND_BITS_MAX
+ int
+
+config ARCH_MMAP_RND_BITS_DEFAULT
+ int
+
+config ARCH_MMAP_RND_BITS
+ int "Number of bits to use for ASLR of mmap base address" if EXPERT
+ range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
+ default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
+ default ARCH_MMAP_RND_BITS_MIN
+ depends on HAVE_ARCH_MMAP_RND_BITS
+ help
+ This value can be used to select the number of bits to use to
+ determine the random offset to the base address of vma regions
+ resulting from mmap allocations. This value will be bounded
+ by the architecture's minimum and maximum supported values.
+
+ This value can be changed after boot using the
+ /proc/sys/vm/mmap_rnd_bits tunable
+
+config HAVE_ARCH_MMAP_RND_COMPAT_BITS
+ bool
+ help
+ An arch should select this symbol if it supports running applications
+ in compatibility mode, supports setting a variable number of bits for
+ use in establishing the base address for mmap allocations, and
+ provides values for both:
+ - ARCH_MMAP_RND_COMPAT_BITS_MIN
+ - ARCH_MMAP_RND_COMPAT_BITS_MAX
+
+config ARCH_MMAP_RND_COMPAT_BITS_MIN
+ int
+
+config ARCH_MMAP_RND_COMPAT_BITS_MAX
+ int
+
+config ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
+ int
+
+config ARCH_MMAP_RND_COMPAT_BITS
+ int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
+ range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
+ default ARCH_MMAP_RND_COMPAT_BITS_MIN
+ depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
+ help
+ This value can be used to select the number of bits to use to
+ determine the random offset to the base address of vma regions
+ resulting from mmap allocations for compatible applications This
+ value will be bounded by the architecture's minimum and maximum
+ supported values.
+
+ This value can be changed after boot using the
+ /proc/sys/vm/mmap_rnd_compat_bits tunable
+
config HAVE_COPY_THREAD_TLS
bool
help
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 00bad77..6f6dd6e 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -51,6 +51,17 @@ extern int sysctl_legacy_va_layout;
#define sysctl_legacy_va_layout 0
#endif

+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
+extern const int mmap_rnd_bits_min;
+extern const int mmap_rnd_bits_max;
+extern int mmap_rnd_bits __read_mostly;
+#endif
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
+extern const int mmap_rnd_compat_bits_min;
+extern const int mmap_rnd_compat_bits_max;
+extern int mmap_rnd_compat_bits __read_mostly;
+#endif
+
#include <asm/page.h>
#include <asm/pgtable.h>
#include <asm/processor.h>
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index dc6858d..a9db0cf 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
.mode = 0644,
.proc_handler = proc_doulongvec_minmax,
},
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
+ {
+ .procname = "mmap_rnd_bits",
+ .data = &mmap_rnd_bits,
+ .maxlen = sizeof(mmap_rnd_bits),
+ .mode = 0600,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = (void *) &mmap_rnd_bits_min,
+ .extra2 = (void *) &mmap_rnd_bits_max,
+ },
+#endif
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
+ {
+ .procname = "mmap_rnd_compat_bits",
+ .data = &mmap_rnd_compat_bits,
+ .maxlen = sizeof(mmap_rnd_compat_bits),
+ .mode = 0600,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = (void *) &mmap_rnd_compat_bits_min,
+ .extra2 = (void *) &mmap_rnd_compat_bits_max,
+ },
+#endif
{ }
};

diff --git a/mm/mmap.c b/mm/mmap.c
index 2ce04a6..fe3816c 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -58,6 +58,18 @@
#define arch_rebalance_pgtables(addr, len) (addr)
#endif

+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
+const int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
+const int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
+int mmap_rnd_bits __read_mostly = CONFIG_ARCH_MMAP_RND_BITS;
+#endif
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
+const int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
+const int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
+int mmap_rnd_compat_bits __read_mostly = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
+#endif
+
+
static void unmap_region(struct mm_struct *mm,
struct vm_area_struct *vma, struct vm_area_struct *prev,
unsigned long start, unsigned long end);
--
2.6.0.rc2.230.g3dd15c0

2015-11-26 23:00:40

by Dan Cashman

[permalink] [raw]
Subject: [PATCH v4 2/4] arm: mm: support ARCH_MMAP_RND_BITS.

arm: arch_mmap_rnd() uses a hard-code value of 8 to generate the
random offset for the mmap base address. This value represents a
compromise between increased ASLR effectiveness and avoiding
address-space fragmentation. Replace it with a Kconfig option, which
is sensibly bounded, so that platform developers may choose where to
place this compromise. Keep 8 as the minimum acceptable value.

Signed-off-by: Daniel Cashman <[email protected]>
---
arch/arm/Kconfig | 10 ++++++++++
arch/arm/mm/mmap.c | 3 +--
2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 0365cbb..ca2e43a 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -35,6 +35,7 @@ config ARM
select HAVE_ARCH_BITREVERSE if (CPU_32v7M || CPU_32v7) && !CPU_32v6
select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL && !CPU_ENDIAN_BE32
select HAVE_ARCH_KGDB if !CPU_ENDIAN_BE32
+ select HAVE_ARCH_MMAP_RND_BITS
select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
select HAVE_ARCH_TRACEHOOK
select HAVE_BPF_JIT
@@ -306,6 +307,15 @@ config MMU
Select if you want MMU-based virtualised addressing space
support by paged memory management. If unsure, say 'Y'.

+config ARCH_MMAP_RND_BITS_MIN
+ default 8
+
+config ARCH_MMAP_RND_BITS_MAX
+ default 14 if MMU && PAGE_OFFSET=0x40000000
+ default 15 if MMU && PAGE_OFFSET=0x80000000
+ default 16 if MMU
+ default 8
+
#
# The "ARM system type" choice list is ordered alphabetically by option
# text. Please add new entries in the option alphabetic order.
diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index 407dc78..c938693 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -173,8 +173,7 @@ unsigned long arch_mmap_rnd(void)
{
unsigned long rnd;

- /* 8 bits of randomness in 20 address space bits */
- rnd = (unsigned long)get_random_int() % (1 << 8);
+ rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);

return rnd << PAGE_SHIFT;
}
--
2.6.0.rc2.230.g3dd15c0

2015-11-26 23:00:37

by Dan Cashman

[permalink] [raw]
Subject: [PATCH v4 3/4] arm64: mm: support ARCH_MMAP_RND_BITS.

arm64: arch_mmap_rnd() uses STACK_RND_MASK to generate the
random offset for the mmap base address. This value represents a
compromise between increased ASLR effectiveness and avoiding
address-space fragmentation. Replace it with a Kconfig option, which
is sensibly bounded, so that platform developers may choose where to
place this compromise. Keep default values as new minimums.

Signed-off-by: Daniel Cashman <[email protected]>
---
arch/arm64/Kconfig | 31 +++++++++++++++++++++++++++++++
arch/arm64/mm/mmap.c | 8 ++++++--
2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index e55848c..3f0aed5 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -51,6 +51,8 @@ config ARM64
select HAVE_ARCH_JUMP_LABEL
select HAVE_ARCH_KASAN if SPARSEMEM_VMEMMAP
select HAVE_ARCH_KGDB
+ select HAVE_ARCH_MMAP_RND_BITS
+ select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_TRACEHOOK
select HAVE_BPF_JIT
@@ -104,6 +106,35 @@ config ARCH_PHYS_ADDR_T_64BIT
config MMU
def_bool y

+config ARCH_MMAP_RND_BITS_MIN
+ default 15 if ARM64_64K_PAGES
+ default 17 if ARM64_16K_PAGES
+ default 19
+
+config ARCH_MMAP_RND_BITS_MAX
+ default 19 if ARM64_VA_BITS=36
+ default 20 if ARM64_64K_PAGES && ARM64_VA_BITS=39
+ default 22 if ARM64_16K_PAGES && ARM64_VA_BITS=39
+ default 24 if ARM64_VA_BITS=39
+ default 23 if ARM64_64K_PAGES && ARM64_VA_BITS=42
+ default 25 if ARM64_16K_PAGES && ARM64_VA_BITS=42
+ default 27 if ARM64_VA_BITS=42
+ default 30 if ARM64_VA_BITS=47
+ default 29 if ARM64_64K_PAGES && ARM64_VA_BITS=48
+ default 31 if ARM64_16K_PAGES && ARM64_VA_BITS=48
+ default 33 if ARM64_VA_BITS=48
+ default 15 if ARM64_64K_PAGES
+ default 17 if ARM64_16K_PAGES
+ default 19
+
+config ARCH_MMAP_RND_COMPAT_BITS_MIN
+ default 7 if ARM64_64K_PAGES
+ default 9 if ARM64_16K_PAGES
+ default 11
+
+config ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default 16
+
config NO_IOPORT_MAP
def_bool y if !PCI

diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c
index ed17747..af461b9 100644
--- a/arch/arm64/mm/mmap.c
+++ b/arch/arm64/mm/mmap.c
@@ -51,8 +51,12 @@ unsigned long arch_mmap_rnd(void)
{
unsigned long rnd;

- rnd = (unsigned long)get_random_int() & STACK_RND_MASK;
-
+ifdef CONFIG_COMPAT
+ if (test_thread_flag(TIF_32BIT))
+ rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
+ else
+#endif
+ rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
return rnd << PAGE_SHIFT;
}

--
2.6.0.rc2.230.g3dd15c0

2015-11-26 23:00:44

by Dan Cashman

[permalink] [raw]
Subject: [PATCH v4 4/4] x86: mm: support ARCH_MMAP_RND_BITS.

x86: arch_mmap_rnd() uses hard-coded values, 8 for 32-bit and 28 for
64-bit, to generate the random offset for the mmap base address.
This value represents a compromise between increased ASLR
effectiveness and avoiding address-space fragmentation. Replace it
with a Kconfig option, which is sensibly bounded, so that platform
developers may choose where to place this compromise. Keep default
values as new minimums.

Signed-off-by: Daniel Cashman <[email protected]>
---
arch/x86/Kconfig | 16 ++++++++++++++++
arch/x86/mm/mmap.c | 12 ++++++------
2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index db3622f..12768c4 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -82,6 +82,8 @@ config X86
select HAVE_ARCH_KASAN if X86_64 && SPARSEMEM_VMEMMAP
select HAVE_ARCH_KGDB
select HAVE_ARCH_KMEMCHECK
+ select HAVE_ARCH_MMAP_RND_BITS
+ select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
select HAVE_ARCH_SECCOMP_FILTER
select HAVE_ARCH_SOFT_DIRTY if X86_64
select HAVE_ARCH_TRACEHOOK
@@ -183,6 +185,20 @@ config HAVE_LATENCYTOP_SUPPORT
config MMU
def_bool y

+config ARCH_MMAP_RND_BITS_MIN
+ default 28 if 64BIT
+ default 8
+
+config ARCH_MMAP_RND_BITS_MAX
+ default 32 if 64BIT
+ default 16
+
+config ARCH_MMAP_RND_COMPAT_BITS_MIN
+ default 8
+
+config ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default 16
+
config SBUS
bool

diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 844b06d..647fecf 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -69,14 +69,14 @@ unsigned long arch_mmap_rnd(void)
{
unsigned long rnd;

- /*
- * 8 bits of randomness in 32bit mmaps, 20 address space bits
- * 28 bits of randomness in 64bit mmaps, 40 address space bits
- */
if (mmap_is_ia32())
- rnd = (unsigned long)get_random_int() % (1<<8);
+#ifdef CONFIG_COMPAT
+ rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
+#else
+ rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
+#endif
else
- rnd = (unsigned long)get_random_int() % (1<<28);
+ rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);

return rnd << PAGE_SHIFT;
}
--
2.6.0.rc2.230.g3dd15c0

2015-11-26 23:24:26

by Dan Cashman

[permalink] [raw]
Subject: Re: [PATCH v4 0/4] Allow customizable random offset to mmap_base address.

On 11/26/15 2:59 PM, Daniel Cashman wrote:
> Address Space Layout Randomization (ASLR) provides a barrier to exploitation of user-space processes in the presence of security vulnerabilities by making it more difficult to find desired code/data which could help an attack. This is done by adding a random offset to the location of regions in the process address space, with a greater range of potential offset values corresponding to better protection/a larger search-space for brute force, but also to greater potential for fragmentation.
>
> The offset added to the mmap_base address, which provides the basis for the majority of the mappings for a process, is set once on process exec in arch_pick_mmap_layout() and is done via hard-coded per-arch values, which reflect, hopefully, the best compromise for all systems. The trade-off between increased entropy in the offset value generation and the corresponding increased variability in address space fragmentation is not absolute, however, and some platforms may tolerate higher amounts of entropy. This patch introduces both new Kconfig values and a sysctl interface which may be used to change the amount of entropy used for offset generation on a system.
>
> The direct motivation for this change was in response to the libstagefright vulnerabilities that affected Android, specifically to information provided by Google's project zero at:
>
> http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html
>
> The attack presented therein, by Google's project zero, specifically targeted the limited randomness used to generate the offset added to the mmap_base address in order to craft a brute-force-based attack. Concretely, the attack was against the mediaserver process, which was limited to respawning every 5 seconds, on an arm device. The hard-coded 8 bits used resulted in an average expected success rate of defeating the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a piece). With this patch, and an accompanying increase in the entropy value to 16 bits, the same attack would take an average expected time of over 45 hours (32768 tries), which makes it both less feasible and more likely to be noticed.
>
> The introduced Kconfig and sysctl options are limited by per-arch minimum and maximum values, the minimum of which was chosen to match the current hard-coded value and the maximum of which was chosen so as to give the greatest flexibility without generating an invalid mmap_base address, generally a 3-4 bits less than the number of bits in the user-space accessible virtual address space.
>
> When decided whether or not to change the default value, a system developer should consider that mmap_base address could be placed anywhere up to 2^(value) bits away from the non-randomized location, which would introduce variable-sized areas above and below the mmap_base address such that the maximum vm_area_struct size may be reduced, preventing very large allocations.
>
> Changes in v4:
> [all]
> * changed signed-off to [email protected] from [email protected]
>
> [1/4]
> * mark min/max variables as 'const'
> * mark rnd_bits variables as '__read_mostly'
> * add default option for compat other than min
> * change docs to /proc/sys/vm from /proc/sys/vm
> * change procfs perms to 600
>
> [3/4]
> * added arm64 ifdef COMPAT to avoid compilation error
> * added values for arm64 16k pages
> * changed arm64 config ARCH_VA_BITS to ARM64_VA_BITS
> * added 36 and 47 ARM64_VA_BITS defaults
>
> not (yet) addressed:
> * changing config/procfs value to be page-size agnostic
> * changing makefile to avoid complicated config defaults
> * removing unsupported arm64 page and VA_BITS combos
> * mips, powerpc, s390
>
> dcashman (4):
> mm: mmap: Add new /proc tunable for mmap_base ASLR.
> arm: mm: support ARCH_MMAP_RND_BITS.
> arm64: mm: support ARCH_MMAP_RND_BITS.
> x86: mm: support ARCH_MMAP_RND_BITS.
>
> Documentation/sysctl/vm.txt | 29 +++++++++++++++++++
> arch/Kconfig | 68 +++++++++++++++++++++++++++++++++++++++++++++
> arch/arm/Kconfig | 10 +++++++
> arch/arm/mm/mmap.c | 3 +-
> arch/arm64/Kconfig | 31 +++++++++++++++++++++
> arch/arm64/mm/mmap.c | 8 ++++--
> arch/x86/Kconfig | 16 +++++++++++
> arch/x86/mm/mmap.c | 12 ++++----
> include/linux/mm.h | 11 ++++++++
> kernel/sysctl.c | 22 +++++++++++++++
> mm/mmap.c | 12 ++++++++
> 11 files changed, 212 insertions(+), 10 deletions(-)

A disclaimer: I posted this quickly to address breakage in linux-next
for arm64 w/out COMPAT, but won't be able to test until Monday.

Thank You,
Dan

2015-11-30 23:54:15

by Andrew Morton

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Thu, 26 Nov 2015 14:59:42 -0800 Daniel Cashman <[email protected]> wrote:

> ASLR only uses as few as 8 bits to generate the random offset for the
> mmap base address on 32 bit architectures. This value was chosen to
> prevent a poorly chosen value from dividing the address space in such
> a way as to prevent large allocations. This may not be an issue on all
> platforms. Allow the specification of a minimum number of bits so that
> platforms desiring greater ASLR protection may determine where to place
> the trade-off.
>
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
> .mode = 0644,
> .proc_handler = proc_doulongvec_minmax,
> },
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> + {
> + .procname = "mmap_rnd_bits",
> + .data = &mmap_rnd_bits,
> + .maxlen = sizeof(mmap_rnd_bits),
> + .mode = 0600,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = (void *) &mmap_rnd_bits_min,
> + .extra2 = (void *) &mmap_rnd_bits_max,

hm, why the typecasts? They're unneeded and are omitted everywhere(?)
else in kernel/sysctl.c.

2015-12-01 00:01:21

by Andrew Morton

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Mon, 30 Nov 2015 15:54:12 -0800 Andrew Morton <[email protected]> wrote:

> On Thu, 26 Nov 2015 14:59:42 -0800 Daniel Cashman <[email protected]> wrote:
>
> > ASLR only uses as few as 8 bits to generate the random offset for the
> > mmap base address on 32 bit architectures. This value was chosen to
> > prevent a poorly chosen value from dividing the address space in such
> > a way as to prevent large allocations. This may not be an issue on all
> > platforms. Allow the specification of a minimum number of bits so that
> > platforms desiring greater ASLR protection may determine where to place
> > the trade-off.
> >
> > --- a/kernel/sysctl.c
> > +++ b/kernel/sysctl.c
> > @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
> > .mode = 0644,
> > .proc_handler = proc_doulongvec_minmax,
> > },
> > +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> > + {
> > + .procname = "mmap_rnd_bits",
> > + .data = &mmap_rnd_bits,
> > + .maxlen = sizeof(mmap_rnd_bits),
> > + .mode = 0600,
> > + .proc_handler = proc_dointvec_minmax,
> > + .extra1 = (void *) &mmap_rnd_bits_min,
> > + .extra2 = (void *) &mmap_rnd_bits_max,
>
> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
> else in kernel/sysctl.c.
>

Oh. Casting away constness.

What's the thinking here? They can change at any time so they aren't
const so we shouldn't declare them to be const?

2015-12-01 00:03:22

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v4 4/4] x86: mm: support ARCH_MMAP_RND_BITS.

On Thu, Nov 26, 2015 at 2:59 PM, Daniel Cashman <[email protected]> wrote:
> x86: arch_mmap_rnd() uses hard-coded values, 8 for 32-bit and 28 for
> 64-bit, to generate the random offset for the mmap base address.
> This value represents a compromise between increased ASLR
> effectiveness and avoiding address-space fragmentation. Replace it
> with a Kconfig option, which is sensibly bounded, so that platform
> developers may choose where to place this compromise. Keep default
> values as new minimums.
>
> Signed-off-by: Daniel Cashman <[email protected]>
> ---
> arch/x86/Kconfig | 16 ++++++++++++++++
> arch/x86/mm/mmap.c | 12 ++++++------
> 2 files changed, 22 insertions(+), 6 deletions(-)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index db3622f..12768c4 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -82,6 +82,8 @@ config X86
> select HAVE_ARCH_KASAN if X86_64 && SPARSEMEM_VMEMMAP
> select HAVE_ARCH_KGDB
> select HAVE_ARCH_KMEMCHECK
> + select HAVE_ARCH_MMAP_RND_BITS
> + select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
> select HAVE_ARCH_SECCOMP_FILTER
> select HAVE_ARCH_SOFT_DIRTY if X86_64
> select HAVE_ARCH_TRACEHOOK
> @@ -183,6 +185,20 @@ config HAVE_LATENCYTOP_SUPPORT
> config MMU
> def_bool y
>
> +config ARCH_MMAP_RND_BITS_MIN
> + default 28 if 64BIT
> + default 8
> +
> +config ARCH_MMAP_RND_BITS_MAX
> + default 32 if 64BIT
> + default 16
> +
> +config ARCH_MMAP_RND_COMPAT_BITS_MIN
> + default 8
> +
> +config ARCH_MMAP_RND_COMPAT_BITS_MAX
> + default 16
> +
> config SBUS
> bool
>
> diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
> index 844b06d..647fecf 100644
> --- a/arch/x86/mm/mmap.c
> +++ b/arch/x86/mm/mmap.c
> @@ -69,14 +69,14 @@ unsigned long arch_mmap_rnd(void)
> {
> unsigned long rnd;
>
> - /*
> - * 8 bits of randomness in 32bit mmaps, 20 address space bits
> - * 28 bits of randomness in 64bit mmaps, 40 address space bits
> - */
> if (mmap_is_ia32())
> - rnd = (unsigned long)get_random_int() % (1<<8);
> +#ifdef CONFIG_COMPAT
> + rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
> +#else
> + rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
> +#endif
> else
> - rnd = (unsigned long)get_random_int() % (1<<28);
> + rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>
> return rnd << PAGE_SHIFT;
> }
> --
> 2.6.0.rc2.230.g3dd15c0
>

Can you rework this logic to look more like the arm64 one? I think
it's more readable as:

#ifdef CONFIG_COMPAT
if (mmap_is_ia32())
rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
else
#endif
rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);

-Kees

--
Kees Cook
Chrome OS & Brillo Security

2015-12-01 00:04:40

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Mon, Nov 30, 2015 at 4:01 PM, Andrew Morton
<[email protected]> wrote:
> On Mon, 30 Nov 2015 15:54:12 -0800 Andrew Morton <[email protected]> wrote:
>
>> On Thu, 26 Nov 2015 14:59:42 -0800 Daniel Cashman <[email protected]> wrote:
>>
>> > ASLR only uses as few as 8 bits to generate the random offset for the
>> > mmap base address on 32 bit architectures. This value was chosen to
>> > prevent a poorly chosen value from dividing the address space in such
>> > a way as to prevent large allocations. This may not be an issue on all
>> > platforms. Allow the specification of a minimum number of bits so that
>> > platforms desiring greater ASLR protection may determine where to place
>> > the trade-off.
>> >
>> > --- a/kernel/sysctl.c
>> > +++ b/kernel/sysctl.c
>> > @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
>> > .mode = 0644,
>> > .proc_handler = proc_doulongvec_minmax,
>> > },
>> > +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> > + {
>> > + .procname = "mmap_rnd_bits",
>> > + .data = &mmap_rnd_bits,
>> > + .maxlen = sizeof(mmap_rnd_bits),
>> > + .mode = 0600,
>> > + .proc_handler = proc_dointvec_minmax,
>> > + .extra1 = (void *) &mmap_rnd_bits_min,
>> > + .extra2 = (void *) &mmap_rnd_bits_max,
>>
>> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
>> else in kernel/sysctl.c.
>
> Oh. Casting away constness.
>
> What's the thinking here? They can change at any time so they aren't
> const so we shouldn't declare them to be const?

The _min and _max values shouldn't be changing: they're decided based
on the various CONFIG options that calculate the valid min/maxes. Only
mmap_rnd_bits itself should be changing.

-Kees

--
Kees Cook
Chrome OS & Brillo Security

2015-12-01 00:05:34

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Thu, Nov 26, 2015 at 2:59 PM, Daniel Cashman <[email protected]> wrote:
> ASLR only uses as few as 8 bits to generate the random offset for the
> mmap base address on 32 bit architectures. This value was chosen to
> prevent a poorly chosen value from dividing the address space in such
> a way as to prevent large allocations. This may not be an issue on all
> platforms. Allow the specification of a minimum number of bits so that
> platforms desiring greater ASLR protection may determine where to place
> the trade-off.
>
> Signed-off-by: Daniel Cashman <[email protected]>

This looks good! Thanks for suffering through the many revision requests. :)

Acked-by: Kees Cook <[email protected]>

-Kees

> ---
> Documentation/sysctl/vm.txt | 29 +++++++++++++++++++
> arch/Kconfig | 68 +++++++++++++++++++++++++++++++++++++++++++++
> include/linux/mm.h | 11 ++++++++
> kernel/sysctl.c | 22 +++++++++++++++
> mm/mmap.c | 12 ++++++++
> 5 files changed, 142 insertions(+)
>
> diff --git a/Documentation/sysctl/vm.txt b/Documentation/sysctl/vm.txt
> index f72370b..ee763f3 100644
> --- a/Documentation/sysctl/vm.txt
> +++ b/Documentation/sysctl/vm.txt
> @@ -42,6 +42,8 @@ Currently, these files are in /proc/sys/vm:
> - min_slab_ratio
> - min_unmapped_ratio
> - mmap_min_addr
> +- mmap_rnd_bits
> +- mmap_rnd_compat_bits
> - nr_hugepages
> - nr_overcommit_hugepages
> - nr_trim_pages (only if CONFIG_MMU=n)
> @@ -485,6 +487,33 @@ against future potential kernel bugs.
>
> ==============================================================
>
> +mmap_rnd_bits:
> +
> +This value can be used to select the number of bits to use to
> +determine the random offset to the base address of vma regions
> +resulting from mmap allocations on architectures which support
> +tuning address space randomization. This value will be bounded
> +by the architecture's minimum and maximum supported values.
> +
> +This value can be changed after boot using the
> +/proc/sys/vm/mmap_rnd_bits tunable
> +
> +==============================================================
> +
> +mmap_rnd_compat_bits:
> +
> +This value can be used to select the number of bits to use to
> +determine the random offset to the base address of vma regions
> +resulting from mmap allocations for applications run in
> +compatibility mode on architectures which support tuning address
> +space randomization. This value will be bounded by the
> +architecture's minimum and maximum supported values.
> +
> +This value can be changed after boot using the
> +/proc/sys/vm/mmap_rnd_compat_bits tunable
> +
> +==============================================================
> +
> nr_hugepages
>
> Change the minimum size of the hugepage pool.
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 4e949e5..237f1c5 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -511,6 +511,74 @@ config ARCH_HAS_ELF_RANDOMIZE
> - arch_mmap_rnd()
> - arch_randomize_brk()
>
> +config HAVE_ARCH_MMAP_RND_BITS
> + bool
> + help
> + An arch should select this symbol if it supports setting a variable
> + number of bits for use in establishing the base address for mmap
> + allocations and provides values for both:
> + - ARCH_MMAP_RND_BITS_MIN
> + - ARCH_MMAP_RND_BITS_MAX
> +
> +config ARCH_MMAP_RND_BITS_MIN
> + int
> +
> +config ARCH_MMAP_RND_BITS_MAX
> + int
> +
> +config ARCH_MMAP_RND_BITS_DEFAULT
> + int
> +
> +config ARCH_MMAP_RND_BITS
> + int "Number of bits to use for ASLR of mmap base address" if EXPERT
> + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
> + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
> + default ARCH_MMAP_RND_BITS_MIN
> + depends on HAVE_ARCH_MMAP_RND_BITS
> + help
> + This value can be used to select the number of bits to use to
> + determine the random offset to the base address of vma regions
> + resulting from mmap allocations. This value will be bounded
> + by the architecture's minimum and maximum supported values.
> +
> + This value can be changed after boot using the
> + /proc/sys/vm/mmap_rnd_bits tunable
> +
> +config HAVE_ARCH_MMAP_RND_COMPAT_BITS
> + bool
> + help
> + An arch should select this symbol if it supports running applications
> + in compatibility mode, supports setting a variable number of bits for
> + use in establishing the base address for mmap allocations, and
> + provides values for both:
> + - ARCH_MMAP_RND_COMPAT_BITS_MIN
> + - ARCH_MMAP_RND_COMPAT_BITS_MAX
> +
> +config ARCH_MMAP_RND_COMPAT_BITS_MIN
> + int
> +
> +config ARCH_MMAP_RND_COMPAT_BITS_MAX
> + int
> +
> +config ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
> + int
> +
> +config ARCH_MMAP_RND_COMPAT_BITS
> + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
> + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
> + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
> + default ARCH_MMAP_RND_COMPAT_BITS_MIN
> + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
> + help
> + This value can be used to select the number of bits to use to
> + determine the random offset to the base address of vma regions
> + resulting from mmap allocations for compatible applications This
> + value will be bounded by the architecture's minimum and maximum
> + supported values.
> +
> + This value can be changed after boot using the
> + /proc/sys/vm/mmap_rnd_compat_bits tunable
> +
> config HAVE_COPY_THREAD_TLS
> bool
> help
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 00bad77..6f6dd6e 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -51,6 +51,17 @@ extern int sysctl_legacy_va_layout;
> #define sysctl_legacy_va_layout 0
> #endif
>
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> +extern const int mmap_rnd_bits_min;
> +extern const int mmap_rnd_bits_max;
> +extern int mmap_rnd_bits __read_mostly;
> +#endif
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
> +extern const int mmap_rnd_compat_bits_min;
> +extern const int mmap_rnd_compat_bits_max;
> +extern int mmap_rnd_compat_bits __read_mostly;
> +#endif
> +
> #include <asm/page.h>
> #include <asm/pgtable.h>
> #include <asm/processor.h>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index dc6858d..a9db0cf 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
> .mode = 0644,
> .proc_handler = proc_doulongvec_minmax,
> },
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> + {
> + .procname = "mmap_rnd_bits",
> + .data = &mmap_rnd_bits,
> + .maxlen = sizeof(mmap_rnd_bits),
> + .mode = 0600,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = (void *) &mmap_rnd_bits_min,
> + .extra2 = (void *) &mmap_rnd_bits_max,
> + },
> +#endif
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
> + {
> + .procname = "mmap_rnd_compat_bits",
> + .data = &mmap_rnd_compat_bits,
> + .maxlen = sizeof(mmap_rnd_compat_bits),
> + .mode = 0600,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = (void *) &mmap_rnd_compat_bits_min,
> + .extra2 = (void *) &mmap_rnd_compat_bits_max,
> + },
> +#endif
> { }
> };
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index 2ce04a6..fe3816c 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -58,6 +58,18 @@
> #define arch_rebalance_pgtables(addr, len) (addr)
> #endif
>
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> +const int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
> +const int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
> +int mmap_rnd_bits __read_mostly = CONFIG_ARCH_MMAP_RND_BITS;
> +#endif
> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
> +const int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
> +const int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
> +int mmap_rnd_compat_bits __read_mostly = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
> +#endif
> +
> +
> static void unmap_region(struct mm_struct *mm,
> struct vm_area_struct *vma, struct vm_area_struct *prev,
> unsigned long start, unsigned long end);
> --
> 2.6.0.rc2.230.g3dd15c0
>



--
Kees Cook
Chrome OS & Brillo Security

2015-12-01 00:18:15

by Andrew Morton

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Mon, 30 Nov 2015 16:04:36 -0800 Kees Cook <[email protected]> wrote:

> >> > +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> >> > + {
> >> > + .procname = "mmap_rnd_bits",
> >> > + .data = &mmap_rnd_bits,
> >> > + .maxlen = sizeof(mmap_rnd_bits),
> >> > + .mode = 0600,
> >> > + .proc_handler = proc_dointvec_minmax,
> >> > + .extra1 = (void *) &mmap_rnd_bits_min,
> >> > + .extra2 = (void *) &mmap_rnd_bits_max,
> >>
> >> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
> >> else in kernel/sysctl.c.
> >
> > Oh. Casting away constness.
> >
> > What's the thinking here? They can change at any time so they aren't
> > const so we shouldn't declare them to be const?
>
> The _min and _max values shouldn't be changing: they're decided based
> on the various CONFIG options that calculate the valid min/maxes. Only
> mmap_rnd_bits itself should be changing.

hmpf.

From: Andrew Morton <[email protected]>
Subject: include/linux/sysctl.h: make ctl_table.extra1/2 const

Nothing should be altering these values. Declare the pointed-to values to
be const so we can actually use const values.

Cc: Kees Cook <[email protected]>
Cc: Daniel Cashman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
---

include/linux/sysctl.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff -puN include/linux/sysctl.h~a include/linux/sysctl.h
--- a/include/linux/sysctl.h~a
+++ a/include/linux/sysctl.h
@@ -111,8 +111,8 @@ struct ctl_table
struct ctl_table *child; /* Deprecated */
proc_handler *proc_handler; /* Callback for text formatting */
struct ctl_table_poll *poll;
- void *extra1;
- void *extra2;
+ const void *extra1;
+ const void *extra2;
};

struct ctl_node {
diff -puN kernel/sysctl.c~a kernel/sysctl.c
_

2015-12-01 00:48:09

by Dan Cashman

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On 11/30/15 4:18 PM, Andrew Morton wrote:
> On Mon, 30 Nov 2015 16:04:36 -0800 Kees Cook <[email protected]> wrote:
>
>>>>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>>>>> + {
>>>>> + .procname = "mmap_rnd_bits",
>>>>> + .data = &mmap_rnd_bits,
>>>>> + .maxlen = sizeof(mmap_rnd_bits),
>>>>> + .mode = 0600,
>>>>> + .proc_handler = proc_dointvec_minmax,
>>>>> + .extra1 = (void *) &mmap_rnd_bits_min,
>>>>> + .extra2 = (void *) &mmap_rnd_bits_max,
>>>>
>>>> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
>>>> else in kernel/sysctl.c.
>>>
>>> Oh. Casting away constness.
>>>
>>> What's the thinking here? They can change at any time so they aren't
>>> const so we shouldn't declare them to be const?
>>
>> The _min and _max values shouldn't be changing: they're decided based
>> on the various CONFIG options that calculate the valid min/maxes. Only
>> mmap_rnd_bits itself should be changing.
>
> hmpf.
>
> From: Andrew Morton <[email protected]>
> Subject: include/linux/sysctl.h: make ctl_table.extra1/2 const
>
> Nothing should be altering these values. Declare the pointed-to values to
> be const so we can actually use const values.
>
> Cc: Kees Cook <[email protected]>
> Cc: Daniel Cashman <[email protected]>
> Signed-off-by: Andrew Morton <[email protected]>
> ---
>
> include/linux/sysctl.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff -puN include/linux/sysctl.h~a include/linux/sysctl.h
> --- a/include/linux/sysctl.h~a
> +++ a/include/linux/sysctl.h
> @@ -111,8 +111,8 @@ struct ctl_table
> struct ctl_table *child; /* Deprecated */
> proc_handler *proc_handler; /* Callback for text formatting */
> struct ctl_table_poll *poll;
> - void *extra1;
> - void *extra2;
> + const void *extra1;
> + const void *extra2;
> };
>
> struct ctl_node {
> diff -puN kernel/sysctl.c~a kernel/sysctl.c
> _

This looks good to me, thanks! I hadn't gone through all of the uses of
extra1 and extra2, nor did I think the change herein was conceptually a
part of mine, so I casted-away in order to indicate intent, while
leaving the change here as a possibility if ctl_table could be altered
for all use-cases.

Thank You,
Dan

2015-12-01 01:06:52

by Eric W. Biederman

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

Andrew Morton <[email protected]> writes:

> On Mon, 30 Nov 2015 16:04:36 -0800 Kees Cook <[email protected]> wrote:
>
>> >> > +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> >> > + {
>> >> > + .procname = "mmap_rnd_bits",
>> >> > + .data = &mmap_rnd_bits,
>> >> > + .maxlen = sizeof(mmap_rnd_bits),
>> >> > + .mode = 0600,
>> >> > + .proc_handler = proc_dointvec_minmax,
>> >> > + .extra1 = (void *) &mmap_rnd_bits_min,
>> >> > + .extra2 = (void *) &mmap_rnd_bits_max,
>> >>
>> >> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
>> >> else in kernel/sysctl.c.
>> >
>> > Oh. Casting away constness.
>> >
>> > What's the thinking here? They can change at any time so they aren't
>> > const so we shouldn't declare them to be const?
>>
>> The _min and _max values shouldn't be changing: they're decided based
>> on the various CONFIG options that calculate the valid min/maxes. Only
>> mmap_rnd_bits itself should be changing.
>
> hmpf.
>
> From: Andrew Morton <[email protected]>
> Subject: include/linux/sysctl.h: make ctl_table.extra1/2 const
>
> Nothing should be altering these values. Declare the pointed-to values to
> be const so we can actually use const values.

No large objects except we do seem to have values that are stashed
in extra1 that are cast to non-const types.

Any chance you will do the work to hunt all of those down and modify
the casts to preserve const or to remove the casts entirely?

Eric


> Cc: Kees Cook <[email protected]>
> Cc: Daniel Cashman <[email protected]>
> Signed-off-by: Andrew Morton <[email protected]>
> ---
>
> include/linux/sysctl.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff -puN include/linux/sysctl.h~a include/linux/sysctl.h
> --- a/include/linux/sysctl.h~a
> +++ a/include/linux/sysctl.h
> @@ -111,8 +111,8 @@ struct ctl_table
> struct ctl_table *child; /* Deprecated */
> proc_handler *proc_handler; /* Callback for text formatting */
> struct ctl_table_poll *poll;
> - void *extra1;
> - void *extra2;
> + const void *extra1;
> + const void *extra2;
> };
>
> struct ctl_node {
> diff -puN kernel/sysctl.c~a kernel/sysctl.c
> _

2015-12-01 01:00:38

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Mon, Nov 30, 2015 at 4:18 PM, Andrew Morton
<[email protected]> wrote:
> On Mon, 30 Nov 2015 16:04:36 -0800 Kees Cook <[email protected]> wrote:
>
>> >> > +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> >> > + {
>> >> > + .procname = "mmap_rnd_bits",
>> >> > + .data = &mmap_rnd_bits,
>> >> > + .maxlen = sizeof(mmap_rnd_bits),
>> >> > + .mode = 0600,
>> >> > + .proc_handler = proc_dointvec_minmax,
>> >> > + .extra1 = (void *) &mmap_rnd_bits_min,
>> >> > + .extra2 = (void *) &mmap_rnd_bits_max,
>> >>
>> >> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
>> >> else in kernel/sysctl.c.
>> >
>> > Oh. Casting away constness.
>> >
>> > What's the thinking here? They can change at any time so they aren't
>> > const so we shouldn't declare them to be const?
>>
>> The _min and _max values shouldn't be changing: they're decided based
>> on the various CONFIG options that calculate the valid min/maxes. Only
>> mmap_rnd_bits itself should be changing.
>
> hmpf.
>
> From: Andrew Morton <[email protected]>
> Subject: include/linux/sysctl.h: make ctl_table.extra1/2 const
>
> Nothing should be altering these values. Declare the pointed-to values to
> be const so we can actually use const values.
>
> Cc: Kees Cook <[email protected]>
> Cc: Daniel Cashman <[email protected]>
> Signed-off-by: Andrew Morton <[email protected]>
> ---
>
> include/linux/sysctl.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff -puN include/linux/sysctl.h~a include/linux/sysctl.h
> --- a/include/linux/sysctl.h~a
> +++ a/include/linux/sysctl.h
> @@ -111,8 +111,8 @@ struct ctl_table
> struct ctl_table *child; /* Deprecated */
> proc_handler *proc_handler; /* Callback for text formatting */
> struct ctl_table_poll *poll;
> - void *extra1;
> - void *extra2;
> + const void *extra1;
> + const void *extra2;
> };
>
> struct ctl_node {
> diff -puN kernel/sysctl.c~a kernel/sysctl.c
> _
>

If allyesconfig builds with this, I'm all for it. :)

-Kees

--
Kees Cook
Chrome OS & Brillo Security

2015-12-01 18:19:38

by Dan Cashman

[permalink] [raw]
Subject: Re: [PATCH v4 4/4] x86: mm: support ARCH_MMAP_RND_BITS.

On 11/30/2015 04:03 PM, Kees Cook wrote:
> On Thu, Nov 26, 2015 at 2:59 PM, Daniel Cashman <[email protected]> wrote:
>> diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
>> index 844b06d..647fecf 100644
>> --- a/arch/x86/mm/mmap.c
>> +++ b/arch/x86/mm/mmap.c
>> @@ -69,14 +69,14 @@ unsigned long arch_mmap_rnd(void)
>> {
>> unsigned long rnd;
>>
>> - /*
>> - * 8 bits of randomness in 32bit mmaps, 20 address space bits
>> - * 28 bits of randomness in 64bit mmaps, 40 address space bits
>> - */
>> if (mmap_is_ia32())
>> - rnd = (unsigned long)get_random_int() % (1<<8);
>> +#ifdef CONFIG_COMPAT
>> + rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
>> +#else
>> + rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>> +#endif
>> else
>> - rnd = (unsigned long)get_random_int() % (1<<28);
>> + rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>>
>> return rnd << PAGE_SHIFT;
>> }
>> --
>> 2.6.0.rc2.230.g3dd15c0
>>
>
> Can you rework this logic to look more like the arm64 one? I think
> it's more readable as:
>
> #ifdef CONFIG_COMPAT
> if (mmap_is_ia32())
> rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
> else
> #endif
> rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>
> -Kees
>

There is a subtle difference between the two that requires this
difference. the x86 code was written to be used by both 32-bit and
64-bit kernels, whereas the arm64 code runs only for 64-bit. The
assumption I've made with arm64 is that TIF_32BIT should never be set if
CONFIG_COMPAT is not set, but with x86 we could encounter a 32-bit
application without CONFIG_COMPAT, in which case it should use the
default mmap_rnd_bits, not compat, since there is no compat.

-Dan

2015-12-01 22:09:42

by Andrew Morton

[permalink] [raw]
Subject: Re: [PATCH v4 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

On Mon, 30 Nov 2015 18:55:23 -0600 [email protected] (Eric W. Biederman) wrote:

> Andrew Morton <[email protected]> writes:
>
> > On Mon, 30 Nov 2015 16:04:36 -0800 Kees Cook <[email protected]> wrote:
> >
> >> >> > +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
> >> >> > + {
> >> >> > + .procname = "mmap_rnd_bits",
> >> >> > + .data = &mmap_rnd_bits,
> >> >> > + .maxlen = sizeof(mmap_rnd_bits),
> >> >> > + .mode = 0600,
> >> >> > + .proc_handler = proc_dointvec_minmax,
> >> >> > + .extra1 = (void *) &mmap_rnd_bits_min,
> >> >> > + .extra2 = (void *) &mmap_rnd_bits_max,
> >> >>
> >> >> hm, why the typecasts? They're unneeded and are omitted everywhere(?)
> >> >> else in kernel/sysctl.c.
> >> >
> >> > Oh. Casting away constness.
> >> >
> >> > What's the thinking here? They can change at any time so they aren't
> >> > const so we shouldn't declare them to be const?
> >>
> >> The _min and _max values shouldn't be changing: they're decided based
> >> on the various CONFIG options that calculate the valid min/maxes. Only
> >> mmap_rnd_bits itself should be changing.
> >
> > hmpf.
> >
> > From: Andrew Morton <[email protected]>
> > Subject: include/linux/sysctl.h: make ctl_table.extra1/2 const
> >
> > Nothing should be altering these values. Declare the pointed-to values to
> > be const so we can actually use const values.
>
> No large objects except we do seem to have values that are stashed
> in extra1 that are cast to non-const types.
>
> Any chance you will do the work to hunt all of those down and modify
> the casts to preserve const or to remove the casts entirely?

Below. Most of it, anyway.

net is doing weird stuff, stashing very-much-non-const things into
extra1 and extra2. I don't see much point in sprinkling casts
everywhere to conceal this (ab)use. extra1 and extra2 clearly aren't
const, so I think I'll give up and sulk.


drivers/parport/procfs.c | 4 ++--
net/core/neighbour.c | 6 +++---
net/decnet/dn_dev.c | 2 +-
net/ipv4/devinet.c | 10 +++++-----
net/ipv6/addrconf.c | 12 +++++++-----
net/ipv6/ndisc.c | 2 +-
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
7 files changed, 20 insertions(+), 18 deletions(-)

diff -puN net/core/neighbour.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix net/core/neighbour.c
--- a/net/core/neighbour.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/net/core/neighbour.c
@@ -2915,8 +2915,8 @@ static void neigh_copy_dflt_parms(struct

static void neigh_proc_update(struct ctl_table *ctl, int write)
{
- struct net_device *dev = ctl->extra1;
- struct neigh_parms *p = ctl->extra2;
+ struct net_device *dev = (void *)ctl->extra1;
+ struct neigh_parms *p = (void *)ctl->extra2;
struct net *net = neigh_parms_net(p);
int index = (int *) ctl->data - p->data;

@@ -2999,7 +2999,7 @@ static int neigh_proc_base_reachable_tim
void __user *buffer,
size_t *lenp, loff_t *ppos)
{
- struct neigh_parms *p = ctl->extra2;
+ struct neigh_parms *p = (void *)ctl->extra2;
int ret;

if (strcmp(ctl->procname, "base_reachable_time") == 0)
diff -puN net/decnet/dn_dev.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix net/decnet/dn_dev.c
--- a/net/decnet/dn_dev.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/net/decnet/dn_dev.c
@@ -248,7 +248,7 @@ static int dn_forwarding_proc(struct ctl
size_t *lenp, loff_t *ppos)
{
#ifdef CONFIG_DECNET_ROUTER
- struct net_device *dev = table->extra1;
+ struct net_device *dev = (void *)table->extra1;
struct dn_dev *dn_db;
int err;
int tmp, old;
diff -puN net/ipv4/devinet.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix net/ipv4/devinet.c
--- a/net/ipv4/devinet.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/net/ipv4/devinet.c
@@ -2030,8 +2030,8 @@ static int devinet_conf_proc(struct ctl_
int new_value = *(int *)ctl->data;

if (write) {
- struct ipv4_devconf *cnf = ctl->extra1;
- struct net *net = ctl->extra2;
+ struct ipv4_devconf *cnf = (void *)ctl->extra1;
+ struct net *net = (void *)ctl->extra2;
int i = (int *)ctl->data - cnf->data;
int ifindex;

@@ -2077,7 +2077,7 @@ static int devinet_sysctl_forward(struct
int ret = proc_dointvec(ctl, write, buffer, lenp, ppos);

if (write && *valp != val) {
- struct net *net = ctl->extra2;
+ struct net *net = (void *)ctl->extra2;

if (valp != &IPV4_DEVCONF_DFLT(net, FORWARDING)) {
if (!rtnl_trylock()) {
@@ -2089,7 +2089,7 @@ static int devinet_sysctl_forward(struct
if (valp == &IPV4_DEVCONF_ALL(net, FORWARDING)) {
inet_forward_change(net);
} else {
- struct ipv4_devconf *cnf = ctl->extra1;
+ struct ipv4_devconf *cnf = (void *)ctl->extra1;
struct in_device *idev =
container_of(cnf, struct in_device, cnf);
if (*valp)
@@ -2117,7 +2117,7 @@ static int ipv4_doint_and_flush(struct c
int *valp = ctl->data;
int val = *valp;
int ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
- struct net *net = ctl->extra2;
+ struct net *net = (void *)ctl->extra2;

if (write && *valp != val)
rt_cache_flush(net);
diff -puN net/ipv6/addrconf.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix net/ipv6/addrconf.c
--- a/net/ipv6/addrconf.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/net/ipv6/addrconf.c
@@ -5203,7 +5203,7 @@ static
int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
- struct inet6_dev *idev = ctl->extra1;
+ const struct inet6_dev *idev = ctl->extra1;
int min_mtu = IPV6_MIN_MTU;
struct ctl_table lctl;

@@ -5312,7 +5312,7 @@ int addrconf_sysctl_proxy_ndp(struct ctl
new = *valp;

if (write && old != new) {
- struct net *net = ctl->extra2;
+ struct net *net = (struct net *)ctl->extra2;

if (!rtnl_trylock())
return restart_syscall();
@@ -5326,8 +5326,9 @@ int addrconf_sysctl_proxy_ndp(struct ctl
NETCONFA_IFINDEX_ALL,
net->ipv6.devconf_all);
else {
- struct inet6_dev *idev = ctl->extra1;
+ struct inet6_dev *idev;

+ idev = (struct inet6_dev *)ctl->extra1;
inet6_netconf_notify_devconf(net, NETCONFA_PROXY_NEIGH,
idev->dev->ifindex,
&idev->cnf);
@@ -5346,7 +5347,7 @@ static int addrconf_sysctl_stable_secret
struct in6_addr addr;
char str[IPV6_MAX_STRLEN];
struct ctl_table lctl = *ctl;
- struct net *net = ctl->extra2;
+ const struct net *net = ctl->extra2;
struct ipv6_stable_secret *secret = ctl->data;

if (&net->ipv6.devconf_all->stable_secret == ctl->data)
@@ -5396,8 +5397,9 @@ static int addrconf_sysctl_stable_secret
}
}
} else {
- struct inet6_dev *idev = ctl->extra1;
+ struct inet6_dev *idev;

+ idev = (struct inet6_dev *)ctl->extra1;
idev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
}

diff -puN net/ipv6/ndisc.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix net/ipv6/ndisc.c
--- a/net/ipv6/ndisc.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/net/ipv6/ndisc.c
@@ -1738,7 +1738,7 @@ static void ndisc_warn_deprecated_sysctl

int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos)
{
- struct net_device *dev = ctl->extra1;
+ const struct net_device *dev = ctl->extra1;
struct inet6_dev *idev;
int ret;

diff -puN net/netfilter/ipvs/ip_vs_ctl.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix net/netfilter/ipvs/ip_vs_ctl.c
--- a/net/netfilter/ipvs/ip_vs_ctl.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1608,7 +1608,7 @@ static int
proc_do_defense_mode(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
- struct netns_ipvs *ipvs = table->extra2;
+ struct netns_ipvs *ipvs = (void *)table->extra2;
int *valp = table->data;
int val = *valp;
int rc;
diff -puN drivers/parport/procfs.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix drivers/parport/procfs.c
--- a/drivers/parport/procfs.c~include-linux-sysctlh-make-ctl_tableextra1-2-const-fix
+++ a/drivers/parport/procfs.c
@@ -35,7 +35,7 @@
static int do_active_device(struct ctl_table *table, int write,
void __user *result, size_t *lenp, loff_t *ppos)
{
- struct parport *port = (struct parport *)table->extra1;
+ const struct parport *port = table->extra1;
char buffer[256];
struct pardevice *dev;
int len = 0;
@@ -72,7 +72,7 @@ static int do_active_device(struct ctl_t
static int do_autoprobe(struct ctl_table *table, int write,
void __user *result, size_t *lenp, loff_t *ppos)
{
- struct parport_device_info *info = table->extra2;
+ const struct parport_device_info *info = table->extra2;
const char *str;
char buffer[256];
int len = 0;
_