Received: by 10.223.185.116 with SMTP id b49csp7451890wrg; Thu, 1 Mar 2018 05:53:47 -0800 (PST) X-Google-Smtp-Source: AG47ELvIXrtJdiVQm1RKfD6ar7VFTOtKxcM6e8Hkz+QYQdYFSjKUgqa+kmwvlzi1/lQT1krTG48Z X-Received: by 10.98.70.198 with SMTP id o67mr1994569pfi.173.1519912427450; Thu, 01 Mar 2018 05:53:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519912427; cv=none; d=google.com; s=arc-20160816; b=hXynxVB01oNlm6tkkIApfFH8pZ8ui++N7T6xzrYWo2UYXvCDT6KGF/2ZU0Pj/068Er LVjF/+1QphA9L85q+b9NRJ+hMRW4KB8CMH3yRxqNvTu5fXeo5EB9do+HVWQdrbG6PK/h CCyrbQdtDGdRsaQ38B0RpOX6Xl6ClkHI4txW6v2mNTAcBigQvTFim+7TD5CdUJEbwAUB YUEYWNepxyPYsHLvLqadP6imkKNLCT9R8tXryKoU4WteKueX36QAZ/j8IMua4WQflPXL 1ZjJ5hrYzjbRefnx55nPzJ6JugB4vo/p5nMsvSP0i5++XgheU6IVX3ffj3sCVrvmnZWn pNNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=OCyN+zWE2Zwaxoh9ZubIkb3IfuRhB6nXBKF+S3v3bPs=; b=y8ageqZ+zfNQ1qsM0NW/Yz5PL1Gzk08eVX4E1bhgxGYW5gvJZfiPqh80so3xZDBxGM Y7qZ2vzQppXqqI5IJgbIdlsBtp2i0nyf6AJoL+tQtf0l3M8fw4x3QX0soME+rDf4Nra4 R0ic0S/DKeLvHj0kVB3E+WOOhavkGHKcpk87CO9Zu+txpgSTeUNXOpR+DoG1uQP/mUnk Xi/9oGO+PgB4mwVSiGF6UgumWNKye9noCoqy52P87I9l1QRssZk/yuZ+tWJBepGrUSUZ 5WJsx236prOdrPGMJmAqbaGk/oLu382pxMTcOCz+zm2lpMYCmnnFACKG/ug5NpWiwPxB qwkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=etYqpPoS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o30si2480295pgc.325.2018.03.01.05.53.32; Thu, 01 Mar 2018 05:53:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=etYqpPoS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030949AbeCANwR (ORCPT + 99 others); Thu, 1 Mar 2018 08:52:17 -0500 Received: from mail-wm0-f52.google.com ([74.125.82.52]:35565 "EHLO mail-wm0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030462AbeCANwP (ORCPT ); Thu, 1 Mar 2018 08:52:15 -0500 Received: by mail-wm0-f52.google.com with SMTP id x7so11858931wmc.0 for ; Thu, 01 Mar 2018 05:52:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OCyN+zWE2Zwaxoh9ZubIkb3IfuRhB6nXBKF+S3v3bPs=; b=etYqpPoSYrSfb9T6fVzDKrzkuN+TyVx55hqxWKRFTFCONb++JxAKUsbb8TI9D/X7uH 6g/sJS59n3mV94YKdaABX9RZvF5v98JJIT2iVruk65qCaJAikdGtCqaVNKNeN0ZtT7wJ vDd708Bs4AqRgLhU9LV6Q2Ji+F6YG2qscCm55cY35Au7sPzpWAP1mY4eBCw4Qe2csLn4 REiglxJlspOVw63BEHJKNvAFQDUKetCZqUnJuc7HaW1XxCP6jT30IH+zPMhoUP8GFoMK SoltDZGjv6AS0VYkv1r3QKS9w6idNKVPbRtfw0GidfD8vPKew7gz18lLKYxI7wGImgf1 1EqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OCyN+zWE2Zwaxoh9ZubIkb3IfuRhB6nXBKF+S3v3bPs=; b=WI7cP5f4v40TmZpNIcZJMULelT3xWFM1YMVoJLrKTKJTPD/+H5bYLwRemuz7VdV1fl nXezmBHZ6jbzgZ4Hpn8UT3OSpemvtx996ihFfactKJljANyZ/wIl5tlHnNrzFQaUMSAz djvmm7JKB8VDzonQhJoH8VRuohodDQsugS9fUuKmHu64g5I6pLj6iK3yT9ZKYtrYCX2g edHkDENH6u7zCuNj1onKhVovV4S64VRS40cY+CDU8lQnceIMqADzmzDGiaIxOWGpznVB pSv7WSTlvQyD9ZHK+lUOfPhiZKSOp6a67XQQI46WfpVS3u125S59SI24OV7a5NBbD81l /EcQ== X-Gm-Message-State: APf1xPCEvWa5noOXsf2yQkMjNMViglxN66wctiLZRqRSrI93jyH/pBmp OnJ4Ev5hlJQrB6aH2vTLGQ6AF3C0lcY= X-Received: by 10.46.25.86 with SMTP id p83mr1436127lje.142.1519912334561; Thu, 01 Mar 2018 05:52:14 -0800 (PST) Received: from [10.0.36.140] ([31.44.93.2]) by smtp.gmail.com with ESMTPSA id q80sm886072lfb.69.2018.03.01.05.52.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Mar 2018 05:52:13 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [RFC PATCH] Randomization of address chosen by mmap. From: Ilya Smith In-Reply-To: Date: Thu, 1 Mar 2018 16:52:12 +0300 Cc: Andrew Morton , Dan Williams , Michal Hocko , "Kirill A. Shutemov" , Jan Kara , Jerome Glisse , Hugh Dickins , Matthew Wilcox , Helge Deller , Andrea Arcangeli , Oleg Nesterov , Linux-MM , LKML , Kernel Hardening Content-Transfer-Encoding: quoted-printable Message-Id: <5E526DB1-08ED-4BD9-AD33-A2EBCC95091E@gmail.com> References: <20180227131338.3699-1-blackzert@gmail.com> <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com> To: Kees Cook X-Mailer: Apple Mail (2.3445.5.20) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 28 Feb 2018, at 22:54, Kees Cook wrote: >=20 > I was trying to understand the target entropy level, and I'm worried > it's a bit biased. For example, if the first allocation lands at 1/4th > of the memory space, the next allocation (IIUC) has a 50% chance of > falling on either side of it. If it goes on the small side, it then > has much less entropy than if it had gone on the other side. I think > this may be less entropy than choosing a random address and just > seeing if it fits or not. Dealing with collisions could be done either > by pushing the address until it doesn't collide or picking another > random address, etc. This is probably more expensive, though, since it > would need to walk the vma tree repeatedly. Anyway, I was ultimately > curious about your measured entropy and what alternatives you > considered. Let me please start with the options we have here.=20 Let's pretend we need to choose random address from free memory pool. = Let=E2=80=99s=20 pretend we have an array of gaps sorted by size of gap descending. First = we=20 find the highest index satisfies requested length. For each suitable gap = (with=20 less index) we count how many pages in this gap satisfies request. And = compute=20 total count of pages satisfies request. Now we get random by module of = total=20 number. Subtracting from this value count of suitable gap pages for gaps = until=20 this value greater we will find needed gap and offset inside it. Add gap = start=20 to offset we will randomly choose suitable address. In this scheme we have to keep array of gaps. Each time address space is=20= changed we have to keep the gaps array consistent and apply this = changes. It is=20 a very big overhead on any change. Pure random looks really expensive. Lets try to improve something. We can=E2=80=99t just choose random address and try do it again and = again until we find=20 something - this approach has non-deterministic behaviour. Nobody knows = when it=20 stops. Same if we try to walk tree in random direction. We can walk tree and try to build array of suitable gaps and choose = something=20 from there. In my current approach (proof of concept) length of array is = 1 and=20 thats why last gaps would be chosen with more probability. I=E2=80=99m = agree. It is=20 possible to increase array spending some memory. For example struct mm = may have=20 to array of 1024 gaps. We do the same, walk tree and randomly fill this = array (=20 everything locked under write_mem semaphore). When we filled it or = walked whole=20 tree - choose gap randomly. What do you think about it? Thanks, Ilya