Received: by 10.223.185.116 with SMTP id b49csp6650827wrg; Wed, 28 Feb 2018 13:03:49 -0800 (PST) X-Google-Smtp-Source: AH8x227SPbl1ZXC5//7KvB0J6BgoumBC1t5JC6GebeoLaQ4BzJT1P2AZYfFh2N2N0pNEMZBl7+ks X-Received: by 2002:a17:902:8492:: with SMTP id c18-v6mr19312584plo.40.1519851829116; Wed, 28 Feb 2018 13:03:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519851829; cv=none; d=google.com; s=arc-20160816; b=bn6AYq9GQI1qnTwdN1+4b0YEqt/l/tGo5tmGqYBqW44nurd31UdP05DCwJhwtfl32v kCSfoaSCCXGdxCL4uy1DFlNi3TTamdW8qlPgEXu1m9oLRUgIwuU99A5l/Uzs65uzeqhJ QxacGcaNJW1rRCYXEwC4GwQf0mCcsyOlJyF8YSpC34gfeL0aP6HbtQaoRUbce3s+28ba 9v5y40shIEvcKS5FJopcFm1bzuqnTPqa2O92j1xrxOZEA5PFOFcqOToO36fFpqjuYM+k vmSzV6TQMxaBfiNaVkr9gXFZ0iw+Z/D0gSI4hXZn3Rn/8Jxr4qQG7B5ID37uRgGsB7hj UbHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=/+BbvcQKPWdX7RD8uRA6lSaBOziDfR36ZlCoTXGgKRE=; b=nTZ2ZV8/RK4MEfwSU+Gn7Z55JSjWISCxeawwiYcETKCbBsMsVMhTJ/F4E5zO1zP/JD txTh8utmNUiewGtZr2jTsc0y7B6RGJ3pG1qHz2tbvOgO6EG81Z3oYlEpDZwBLv0gH7qQ oRwxuGdkAOkZjIukGwc0s2xuW59rU5zt0+YHmBn0nEIHszWFjRgW95040K7sBOy7eCrF pjsbHyw959cdA4jWuDTz47+k6DDHdhVg19Gfv08MnndaMTiwk8Ys86ScIpfwBXkJBd9p hPk0abLqEudB/KqHC0Vs6Eu/gW+vWKnZrmqiML+Xp4omnz2R211tPMQJYJHiwLX69F3W ZqzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cW1o4dDa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y22-v6si316908plr.174.2018.02.28.13.03.34; Wed, 28 Feb 2018 13:03:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cW1o4dDa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933101AbeB1VCn (ORCPT + 99 others); Wed, 28 Feb 2018 16:02:43 -0500 Received: from mail-qt0-f193.google.com ([209.85.216.193]:40300 "EHLO mail-qt0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932651AbeB1VCl (ORCPT ); Wed, 28 Feb 2018 16:02:41 -0500 Received: by mail-qt0-f193.google.com with SMTP id y6so4842461qtm.7 for ; Wed, 28 Feb 2018 13:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/+BbvcQKPWdX7RD8uRA6lSaBOziDfR36ZlCoTXGgKRE=; b=cW1o4dDaunLvRh0h/s5SHz+AOT9grZWaZbcLl47zDkD3YYqw5b48TstGaj7TiI3GvE vT/1l5Nb05RgqIuOL7RgH/oTDRV9DKgZrSkEsu8gN/YyXMKwfrH+vw3cDbiRLQdTcBE6 XEDOgH0HRMtKZ/WubArdHTGuXcMRJ1LZGmai6IxnzIdMv78T5kkqHAyvHZzjbet7CtKv XLTg5uLn78D858+O/HBldDKln413KlI3zcZaH7F0B4bNKujCpDISWqQc4IwuK63iUAnQ 8ui7mr6HCZvBwXPKG6hcFPM7IcfHffxGiDJvlMcE5sHg8fk0kiYV3S22OpFJNLhqvZdM Xz9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/+BbvcQKPWdX7RD8uRA6lSaBOziDfR36ZlCoTXGgKRE=; b=o5Jng/cL4qagGIaZsaFsjz6USM/3tRS4AJQOcAerq6fFQlLzrz+pQ0avP1rRyLBtXi AdQfUN1LprBTKrprqhR7L2v8hnlKNKuDLXaof/5nmaSp6ocgk1549tuao1ZR2tkq5/bK f01ELaU8dXyHW6Hapzh9CNe8OaJj4jHbumeRC9wss30+Y0l1MOTfsZ1k3Qd7RWcOXP4w MzDOYNbDsWnsmnDL50F0ReQxeaOp8gLtoej3rkkPjFecOWm9B/RD2tWo2pQhyriFKBlU HIWT59NR5DtRB+UgN9sr+pdefci0apX9hC19ncuGzZGCM+1W+BAPnF8DOFG91O/YFiS5 V4Cw== X-Gm-Message-State: APf1xPAhIQegMx6/S5G1ORhWGP4RPLJg4GEFhA2NQPq5Hv+5BCz4um8J pE4kzS6jQPC+B5ZWivb9VB8snZE6y6eDQ9UJB2k= X-Received: by 10.237.33.170 with SMTP id l39mr32792029qtc.100.1519851760931; Wed, 28 Feb 2018 13:02:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.33.232 with HTTP; Wed, 28 Feb 2018 13:02:40 -0800 (PST) In-Reply-To: <20180228183349.GA16336@bombadil.infradead.org> References: <20180227131338.3699-1-blackzert@gmail.com> <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com> <20180228183349.GA16336@bombadil.infradead.org> From: Daniel Micay Date: Wed, 28 Feb 2018 16:02:40 -0500 Message-ID: Subject: Re: [RFC PATCH] Randomization of address chosen by mmap. To: Matthew Wilcox Cc: Ilya Smith , Kees Cook , Andrew Morton , Dan Williams , Michal Hocko , "Kirill A. Shutemov" , Jan Kara , Jerome Glisse , Hugh Dickins , Helge Deller , Andrea Arcangeli , Oleg Nesterov , Linux-MM , LKML , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The option to add at least one guard page would be useful whether or not it's tied to randomization. It's not feasible to do that in userspace for mmap as a whole, only specific users of mmap like malloc and it adds significant overhead vs. a kernel implementation. It could optionally let you choose a minimum and maximum guard region size with it picking random sizes if they're not equal. It's important for it to be an enforced gap rather than something that can be filled in by another allocation. It will obviously help a lot more when it's being used with a hardened allocator designed to take advantage of this rather than glibc malloc or jemalloc. I don't think it makes sense for the kernel to attempt mitigations to hide libraries. The best way to do that is in userspace, by having the linker reserve a large PROT_NONE region for mapping libraries (both at initialization and for dlopen) including a random gap to act as a separate ASLR base. If an attacker has library addresses, it's hard to see much point in hiding the other libraries from them. It does make sense to keep them from knowing the location of any executable code if they leak non-library addresses. An isolated library region + gap is a feature we implemented in CopperheadOS and it works well, although we haven't ported it to Android 7.x or 8.x. I don't think the kernel can bring much / anything to the table for it. It's inherently the responsibility of libc to randomize the lower bits for secondary stacks too. Fine-grained randomized mmap isn't going to be used if it causes unpredictable levels of fragmentation or has a high / unpredictable performance cost. I don't think it makes sense to approach it aggressively in a way that people can't use. The OpenBSD randomized mmap is a fairly conservative implementation to avoid causing excessive fragmentation. I think they do a bit more than adding random gaps by switching between different 'pivots' but that isn't very high benefit. The main benefit is having random bits of unmapped space all over the heap when combined with their hardened allocator which heavily uses small mmap mappings and has a fair bit of malloc-level randomization (it's a bitmap / hash table based slab allocator using 4k regions with a page span cache and we use a port of it to Android with added hardening features but we're missing the fine-grained mmap rand it's meant to have underneath what it does itself). The default vm.max_map_count = 65530 is also a major problem for doing fine-grained mmap randomization of any kind and there's the 32-bit reference count overflow issue on high memory machines with max_map_count * pid_max which isn't resolved yet.