Received: by 10.223.185.116 with SMTP id b49csp1940537wrg;
        Sun, 4 Mar 2018 13:48:54 -0800 (PST)
X-Google-Smtp-Source: AG47ELuyXSxiXyNJUK7MO46c6+aAfKnaWhZffmAF6idOyw/LS41GnmUm7M2kEGgzayvRfuaLL49y
X-Received: by 10.98.242.65 with SMTP id y1mr12874167pfl.232.1520200134511;
        Sun, 04 Mar 2018 13:48:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520200134; cv=none;
        d=google.com; s=arc-20160816;
        b=pG0AJkjeax/hWLoEFzY3Ii6pC3JjC1kfN2xsMjI6lOQ5SPC1dB0VtrCDztfJ6r/sRh
         QZUTMyohQvbS23CnAO5R5so60bqz4nccXNBb/k2nokKpDTwxOMNnXq52hnTTYmV/UFMF
         c7gtp/qg/iduUwM9KuSa9OcLKPATD28+iTeC1LK4Tb1fI9F2AxfjF7KtT+Cs3scO4XeF
         H2bnX/lbkVxi1LwqX5nVEwE1edIniNQUYi7FrPSMEkCW1Qp9t4HUJbqrkGGXme5cBlgy
         QEayCXFQNtPnVt8S1y174EOtVyYgd/13LRpe40qwviExHG9i/6SaU5FTR+lCRbGQj9W8
         X16Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=kQvtH875Vpy8kX6Rv45uj3TgcKa/rEfy8jfk85cqD7I=;
        b=d4hzQ/aq3oD9x//tDvyvRZXEqLRh3F0+qWdTQJOYiD69ZPETzRs1TjTXQRij/nBluZ
         SGa7RFd/Q7sWV0lsBjJnVFsgEjPhhut61COyrkR+yNy5H97IqgC6cLoeyspqJRWTytsA
         pmtW6oIGjrOp/vNWdpM0EGt0GVHyhYK89/7YGhmivgsBJ2PrzUy65gbuF+Mz+35Uvodi
         01rX5TwEUbPIGLPCIQc8+2KG5K1/6BmOKVjasma4ly2Ql5DQGq6C1iqIOXJbf0VIVY9i
         3arq7P+NAG3eXMrviZcGqUh0WDnn2giRe7XpkUrpaKxAGPug6zRfqSuOi1zxC6tjBtaq
         Xj4w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=RKlupeSS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j15-v6si8451252pli.649.2018.03.04.13.48.39;
        Sun, 04 Mar 2018 13:48:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=RKlupeSS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932362AbeCDU4e (ORCPT <rfc822;nsahula.photo.sharing@gmail.com>
        + 99 others); Sun, 4 Mar 2018 15:56:34 -0500
Received: from bombadil.infradead.org ([198.137.202.133]:42556 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932123AbeCDU4d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 4 Mar 2018 15:56:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version
        :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=kQvtH875Vpy8kX6Rv45uj3TgcKa/rEfy8jfk85cqD7I=; b=RKlupeSS7uBhlJRxM+4YvXqGX
        uIcZlzG7DTQ1fgLgCu7LeJe6o+TohFikTokM+J+Pob5LPAGrAZKi6m11M9QycQxgBa2jZ2crqbJZQ
        r6CGN6TbeAWHNXZUijWij8+vY58dNyGwdOEoFyiffm2MpbP3ytcnCNlhqVImjfsrBok3CvLsCNIUj
        Rp7V5RllMMrRQDxaflHxdOuit3j0Fs1eoblmu7VunEp1YpZU9K/VnBZVVEGhz5Jw2hvlKuf3O1Kor
        RgNOiNKfkR+S+tDYZDmvSclaI72IHpkzYLOHJfqzOZRw4UIBc+Q2ZRgxOGsl84cfQ6CpVXI8K8Bvv
        vgzNjc11w==;
Received: from willy by bombadil.infradead.org with local (Exim 4.89 #1 (Red Hat Linux))
        id 1esag2-0000XM-DU; Sun, 04 Mar 2018 20:56:14 +0000
Date:   Sun, 4 Mar 2018 12:56:14 -0800
From:   Matthew Wilcox <willy@infradead.org>
To:     Daniel Micay <danielmicay@gmail.com>
Cc:     Ilya Smith <blackzert@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Dan Williams <dan.j.williams@intel.com>,
        Michal Hocko <mhocko@suse.com>,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
        Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
        Hugh Dickins <hughd@google.com>, Helge Deller <deller@gmx.de>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Message-ID: <20180304205614.GC23816@bombadil.infradead.org>
References: <20180227131338.3699-1-blackzert@gmail.com>
 <CAGXu5jKF7ysJqj57ZktrcVL4G2NWOFHCud8dtXFHLs=tvVLXnQ@mail.gmail.com>
 <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com>
 <20180228183349.GA16336@bombadil.infradead.org>
 <CA+DvKQKoo1U7T_iOOLhfEf9c+K1pzD068au+kGtx0RokFFNKHw@mail.gmail.com>
 <2CF957C6-53F2-4B00-920F-245BEF3CA1F6@gmail.com>
 <CA+DvKQ+mrnm4WX+3cBPuoSLFHmx2Zwz8=FsEx51fH-7yQMAd9w@mail.gmail.com>
 <20180304034704.GB20725@bombadil.infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180304034704.GB20725@bombadil.infradead.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Mar 03, 2018 at 07:47:04PM -0800, Matthew Wilcox wrote:
> On Sat, Mar 03, 2018 at 04:00:45PM -0500, Daniel Micay wrote:
> > The main thing I'd like to see is just the option to get a guarantee
> > of enforced gaps around mappings, without necessarily even having
> > randomization of the gap size. It's possible to add guard pages in
> > userspace but it adds overhead by doubling the number of system calls
> > to map memory (mmap PROT_NONE region, mprotect the inner portion to
> > PROT_READ|PROT_WRITE) and *everything* using mmap would need to
> > cooperate which is unrealistic.
> 
> So something like this?
> 
> To use it, OR in PROT_GUARD(n) to the PROT flags of mmap, and it should
> pad the map by n pages.  I haven't tested it, so I'm sure it's buggy,
> but it seems like a fairly cheap way to give us padding after every
> mapping.
> 
> Running it on an old kernel will result in no padding, so to see if it
> worked or not, try mapping something immediately after it.

Thinking about this more ...

 - When you call munmap, if you pass in the same (addr, length) that were
   used for mmap, then it should unmap the guard pages as well (that
   wasn't part of the patch, so it would have to be added)
 - If 'addr' is higher than the mapped address, and length at least
   reaches the end of the mapping, then I would expect the guard pages to
   "move down" and be after the end of the newly-shortened mapping.
 - If 'addr' is higher than the mapped address, and the length doesn't
   reach the end of the old mapping, we split the old mapping into two.
   I would expect the guard pages to apply to both mappings, insofar as
   they'll fit.  For an example, suppose we have a five-page mapping with
   two guard pages (MMMMMGG), and then we unmap the fourth page.  Now we
   have a three-page mapping with one guard page followed immediately
   by a one-page mapping with two guard pages (MMMGMGG).

I would say that mremap cannot change the number of guard pages.
Although I'm a little tempted to add an mremap flag to permit the mapping
to expand into the guard pages.  That would give us a nice way to reserve
address space for a mapping we think is going to expand.