Received: by 10.223.185.116 with SMTP id b49csp6586349wrg; Wed, 28 Feb 2018 11:56:18 -0800 (PST) X-Google-Smtp-Source: AH8x224+EMpN0HBQ87nbWpZQK/Wo/NMq/qu6J946O8WoO2dtsNBSTDtLH43/KkITtogXO2luxTOX X-Received: by 10.98.253.17 with SMTP id p17mr18879025pfh.105.1519847778590; Wed, 28 Feb 2018 11:56:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519847778; cv=none; d=google.com; s=arc-20160816; b=jOculuOE4DSBu+tSAu5mPoRjeKgeE+ppIIx6QN0DTxE7QnZE68pIXMz+SbzmwI0Shd vQhk2I8BgO2o7RwriD0acrjFsTqTcpKURuBmACp4RdnaPbeboyzuBycESdJJMtox4mPy dLzS4onqrZGnIoaUe6sHbCn3tAp5KJSSFp6t6nVJOSpR3HY+uj+gJhwbm6kLzmZ3glmt iBYy4PCL02vtOhXeAulUkKcb8ttuU4T+wkuYTcazPgXU2RiKxoCd7AEwOZrr1m3tpkFF U54DQvUSmIVz0/j1fLxs4PKnCIFkUPO3TaN+7jLYdxaDxJjo29GnFdZwOAbsx0QKESFK HAYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:dkim-signature:arc-authentication-results; bh=8nuzetamnbDVzWdUqCnlwpKPojsVJmWt4zMEvyOeGZ8=; b=BoyeRkJuPiQBFYPqIStV7DysLGUzTZouWZZJFPApBm+ntbu4GbL526nuIMHbVfwwGL EgoFjkQXC42wNBdr3/DZJlTQcTVAvz22GUmIUUaQepWDMHxTZ/tFDkKuRK40aXCdXLPm djRdsGwsAPWdZfmg+cQ17MqEyoflmlw8XB1tJZ/hOYotTU0VOgdxWfqDLYzJUgvfEI6T i35baZVfPvYrPnh65zE308+ef+aY6UIK3OSu8tKJAkbHG0qmca2tCEd2pfqDyfFvL35T YOzsefH8SSx2nzpfEX1WFULxI7v1kVwwT49IpROigjrjFzt7fiCOa91PG4fYLgtcOdNC G/0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=TKyB7lOw; dkim=fail header.i=@chromium.org header.s=google header.b=hhLx0wvF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70-v6si1742783ple.465.2018.02.28.11.56.03; Wed, 28 Feb 2018 11:56:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=TKyB7lOw; dkim=fail header.i=@chromium.org header.s=google header.b=hhLx0wvF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934023AbeB1Tyf (ORCPT + 99 others); Wed, 28 Feb 2018 14:54:35 -0500 Received: from mail-vk0-f68.google.com ([209.85.213.68]:45164 "EHLO mail-vk0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933687AbeB1Tyd (ORCPT ); Wed, 28 Feb 2018 14:54:33 -0500 Received: by mail-vk0-f68.google.com with SMTP id k187so2237112vke.12 for ; Wed, 28 Feb 2018 11:54:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=8nuzetamnbDVzWdUqCnlwpKPojsVJmWt4zMEvyOeGZ8=; b=TKyB7lOwjJLByWdw0h/Nb/LYIdytUQPAc6YamVmc8++8WNhw/7ZKTYHtnuOSk6Y6ux wHFxbBU6Rh9uJl7Q9cL17vMqCgWdM7BRFY1ylwuoiPA5RwIQK6efdt88oem5nBCj4ADV PldiDzATvljBJdU+MNRNvEnpdiDV7YmMipbdO6Xjev4Hl8Cd/Z4cqNTRq5MwTrwfmNbH aOhp52S5zi/5ofL43xYaDgUEuc8kcTALlrGi1u0kvICXbuS5dDiuiB9uCr7Ue1V4axVo fJCuoNuJcaqivr0rcbRiAkkZpM6sadP9CcoUGFqFvk5bZJ+S8uTWTaCLDZIdUnPW35+L lDdQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=8nuzetamnbDVzWdUqCnlwpKPojsVJmWt4zMEvyOeGZ8=; b=hhLx0wvFiRg96HEvJPCmk3ubHtdEd1HGHdGW4XfRdw2ZR+LYPY4mGMIGeFpN1MP7iz Wa1CHFZGCe8PE3H7CVel9USTmcuSKGuZKtSQxRmRgI9rfQwquKy90b1zDXEGjLz0iwyZ /qczX0JOBebW5sv33zMW91AwpJVpJ8F+lIfTU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=8nuzetamnbDVzWdUqCnlwpKPojsVJmWt4zMEvyOeGZ8=; b=dAuyGx4QvO7ufcKjVqWYOOQsDIHd5ItUqjXyMXr1nSt7HysOxgju929CC5b2ux4xIa smojJjNI+Y8l9vtOmySdN46Ktj8tkmvW/cXcdjyRstmLK7PYcG4ruC80nNxu46BXCl+B aAHmgPTPlzVsx618Y4GrAWKOciG7Hl5Ki9SlZheN971rg1DulbocdzRbozyh18jYalUB uXLcJ1pzJcCw+35kgxvD9EgVICsZFnlmaBWWoFdWABTyzWdV7aYGLysoJsgp48Arf/s0 AD8IH3mboTpPZcXRTOFAi73mjhsKAAYqetN56Wt5EZw1S7nDsXtzcjY8LunDilLAz/ts PWBg== X-Gm-Message-State: APf1xPAc8G6QQi+uUDnb+i02a58ByVvBjy9oL8Zd1sJ3jPhC5AzuQfHV fQ8VANjyb1Upwz59lhSf9DLD8GqV8NIhgYmEqgvL2A== X-Received: by 10.31.47.194 with SMTP id v185mr14053778vkv.121.1519847672803; Wed, 28 Feb 2018 11:54:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Wed, 28 Feb 2018 11:54:32 -0800 (PST) In-Reply-To: <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com> References: <20180227131338.3699-1-blackzert@gmail.com> <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com> From: Kees Cook Date: Wed, 28 Feb 2018 11:54:32 -0800 X-Google-Sender-Auth: NYFjIqahP2zR9JElan52x58o_IQ Message-ID: Subject: Re: [RFC PATCH] Randomization of address chosen by mmap. To: Ilya Smith Cc: Andrew Morton , Dan Williams , Michal Hocko , "Kirill A. Shutemov" , Jan Kara , Jerome Glisse , Hugh Dickins , Matthew Wilcox , Helge Deller , Andrea Arcangeli , Oleg Nesterov , Linux-MM , LKML , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 28, 2018 at 9:13 AM, Ilya Smith wrote: >> On 27 Feb 2018, at 23:52, Kees Cook wrote: >> What are the two phases here? Could this second one get collapsed into >> the first? >> > > Let me explain. > 1. we use current implementation to get larger address. Remember it as > =E2=80=98right_vma=E2=80=99. > 2. we walk tree from mm->mmap what is lowest vma. > 3. we check if current vma gap satisfies length and low/high constrains > 4. if so, we call random() to decide if we choose it. This how we randoml= y choose vma and gap > 5. we walk tree from lowest vma to highest and ignore subtrees with less = gap. > we do it until reach =E2=80=98right_vma=E2=80=99 > > Once we found gap, we may randomly choose address inside it. > >>> + addr =3D get_random_long() % ((high - low) >> PAGE_SHIFT); >>> + addr =3D low + (addr << PAGE_SHIFT); >>> + return addr; >>> >> >> How large are the gaps intended to be? Looking at the gaps on >> something like Xorg they differ a lot. > > Sorry, I can=E2=80=99t get clue. What's the context? You tried patch or w= hats the case? I was trying to understand the target entropy level, and I'm worried it's a bit biased. For example, if the first allocation lands at 1/4th of the memory space, the next allocation (IIUC) has a 50% chance of falling on either side of it. If it goes on the small side, it then has much less entropy than if it had gone on the other side. I think this may be less entropy than choosing a random address and just seeing if it fits or not. Dealing with collisions could be done either by pushing the address until it doesn't collide or picking another random address, etc. This is probably more expensive, though, since it would need to walk the vma tree repeatedly. Anyway, I was ultimately curious about your measured entropy and what alternatives you considered. -Kees --=20 Kees Cook Pixel Security