Received: by 10.223.185.116 with SMTP id b49csp71621wrg; Fri, 2 Mar 2018 13:53:07 -0800 (PST) X-Google-Smtp-Source: AG47ELsHL7WGSTivb3HZ0ZiNxPOlDUVq+HJHq+yZNJAJkdoJF2tBfGxOa8ZKQox3FGHLMiudzxD6 X-Received: by 10.98.233.3 with SMTP id j3mr7110960pfh.38.1520027587553; Fri, 02 Mar 2018 13:53:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520027587; cv=none; d=google.com; s=arc-20160816; b=xFm7/0dJjhUaIMWfeOO/94BzGEka/kYKQyL4cfqHFLiHx0dwWxP37MP6USt1jBJQBP veX161HqlxFKluFK6a068SvMl4Nfw9RzuqJnB8To3+kuFIbmYh54aAykjNPvm849tH9C VPLlmOBiScZqRVPhZuLmPCV6syto8kbaWW+sKDFzn8puwdoWU91q6SHgrk1r3D6aWARJ 4LZEfx5DaZWxmHuPA+XXoiXBzk1lNWIceDaz73r4QzMAcXFact20wXPtc1kmDKDJF6lW gXUhUsTxTG8eyXxJoVieTjf5Imt8t2t6mu9gEI3L/uiKckZSxazq9Oi7oeadVoNM9iQq Q7Uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=rkePfZZVIDrCZLnbxKPRY5ghHgdY7yBMosIY8485V0I=; b=pmWuhl3MWU1XMb8gOeu4S7N9p4wjfQx28aLlYy3gFDZ6vr2P4ExdchTCC4sHfe7az4 kG+t51tfLiX0qdBOmvi5prLm4qQ4emWqjvsfJFSc9iNtvaj1ItDrqGOAWB0ozTaddKR8 kafoce3yrJqUo8yqKAhzbcwQrDQ1xiZGhQ/6YKBHT12OB4Edp/eDyRnJKkSv7XMfZLNJ ga5VnaYccUBYRNT7wjrx6b/PFEMvtMoTOKGhalkezLioEl8T+fbxmXjlHXqAeFGcYTSE qejzEcUtW9QN4itT2YutRmHf5OE4v/GFYoQ5zWxqg1n4bmlDFZEMF1PoxFlFNX6fPArd s/zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=DEh84WSp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 61-v6si5468316plq.737.2018.03.02.13.52.47; Fri, 02 Mar 2018 13:53:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=DEh84WSp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933116AbeCBUs0 (ORCPT + 99 others); Fri, 2 Mar 2018 15:48:26 -0500 Received: from bombadil.infradead.org ([198.137.202.133]:53794 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932895AbeCBUsZ (ORCPT ); Fri, 2 Mar 2018 15:48:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=rkePfZZVIDrCZLnbxKPRY5ghHgdY7yBMosIY8485V0I=; b=DEh84WSpKZ190SIkqTmWTKue3 OV99Im1O6hWKe6BjRAMHF+ffQJdidVAdOC85WjIcu5qo7JpWT8FuRis/p3JtfdIwAT2rbBHLWX3Qy vERlUue32AdGSt4IaI1ULbBIOE4sx2hOQkymGnhBoEG8XIvcSuHN7ZFd1yDfjhkznRwDNvLzqVphd LDGo04cX99NsDif4iNnVVXXpkTfo8bHwmeqL+tLxwlpIusnqJU0D+nn3sMx9ISFImXdmN+iYvOoqb RjCQPsy9W/0uYtmuMdeGOrAzvQTZGRxsKFRLuTgmJ5yGr+Nusuwhq2krUHrSsRbxOen4w7U9zEpIt vzk9uYIZQ==; Received: from willy by bombadil.infradead.org with local (Exim 4.89 #1 (Red Hat Linux)) id 1errb6-0002DG-Oy; Fri, 02 Mar 2018 20:48:08 +0000 Date: Fri, 2 Mar 2018 12:48:08 -0800 From: Matthew Wilcox To: Ilya Smith Cc: Kees Cook , Andrew Morton , Dan Williams , Michal Hocko , "Kirill A. Shutemov" , Jan Kara , Jerome Glisse , Hugh Dickins , Helge Deller , Andrea Arcangeli , Oleg Nesterov , Linux-MM , LKML , Kernel Hardening Subject: Re: [RFC PATCH] Randomization of address chosen by mmap. Message-ID: <20180302204808.GA671@bombadil.infradead.org> References: <20180227131338.3699-1-blackzert@gmail.com> <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com> <20180228183349.GA16336@bombadil.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 02, 2018 at 11:30:28PM +0300, Ilya Smith wrote: > This is a really good question. Lets think we choose address with random-length > guard hole. This length is limited by some configuration as you described. For > instance let it be 1MB. Now according to current implementation, we still may > fill this gap with small allocations with size less than 1MB. Attacker will > going to build attack base on this predictable behaviour - he jus need to spray > with 1 MB chunks (or less, with some expectation). This attack harder but not > impossible. Ah, I didn't mean that. I was thinking that we can change the implementation to reserve 1-N pages after the end of the mapping. So you can't map anything else in there, and any load/store into that region will segfault.