Received: by 10.213.65.68 with SMTP id h4csp837981imn;
        Thu, 22 Mar 2018 09:38:21 -0700 (PDT)
X-Google-Smtp-Source: AG47ELsfRKEJgSkCjvV8Pa/d/Ab2k0AtyQqbXbatyWJkG7QAHA1oNnE1uRjHgW21pA8hMSfcHaKb
X-Received: by 2002:a17:902:1e2:: with SMTP id b89-v6mr13957634plb.389.1521736701308;
        Thu, 22 Mar 2018 09:38:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521736701; cv=none;
        d=google.com; s=arc-20160816;
        b=e4bryXd8ASIlCpEynM7DBQrVaCwJ88NuzeoVx9ZHC6g7JeZ1YtMhjKnLIaMFiq4dsX
         PYxwqYVN/Rk6XEXWDBKRPzWzIN7N77gFvkbZDfeidyp6c9b55zwa6hXH4oAD4OL90/So
         8UwKBRsxM9bAm7kgIo5J/JHYZQ0wSa2wRq6+FfB4Mh1Yh5pFFvuOnXuf4TSbiHYbaF/s
         MJlFwjvBS7vuRUMsOE3066yyeL9Blol0IFV6rCzuLWoiWv4RyRvTzRmdKRCd4LbPaBm+
         rV1W12XCeWzlKZRJqorCqVP/AsB3Kb+V90RzUWvlSvgqNWbkZprhoTh2qU69IvoLG5vB
         9Zvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:to:from
         :dkim-signature:arc-authentication-results;
        bh=m//DR2IjF14kxMb8hIASlsdQZeTM3Tfl8MGXfPzFsvc=;
        b=jPkOA0K5mjwGgIjPqlGix7WhMZHU9uTlqQjAWLx2Cjki6i1oDJXsdouw7irYZxK301
         tU8bwc4JHliSn+8HzRFYmQQf8hqKiBWrvZ/ZnOoQT5EMYUg6uI0BQOhifTm7foxgZijU
         hiq299xY8Eni2JnmvqSh/A5ipDt8dGuIOx6k9G3DUCGmtOrClKcIe6wglVo0AHP0mwMd
         uuft0HdxN0NH9Lgv37WIeCjcWesI8E8RG7v2IajOu3w2k+4PsmiBALqMon+cq25baZQk
         FK2N621zCwNgjU0c7AncAclacQJSRv1iFXCKI40P/CEx6ZngAMkTgTQE3uD5N4k+SAu0
         hNBg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Fk1+89zN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s4si5115914pfs.116.2018.03.22.09.38.06;
        Thu, 22 Mar 2018 09:38:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Fk1+89zN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751961AbeCVQg5 (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Thu, 22 Mar 2018 12:36:57 -0400
Received: from mail-lf0-f68.google.com ([209.85.215.68]:40464 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751625AbeCVQgx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Mar 2018 12:36:53 -0400
Received: by mail-lf0-f68.google.com with SMTP id e5-v6so14132111lfb.7;
        Thu, 22 Mar 2018 09:36:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id;
        bh=m//DR2IjF14kxMb8hIASlsdQZeTM3Tfl8MGXfPzFsvc=;
        b=Fk1+89zNUzagNiyB4XxpkjKxy0zY3vPhVF9pTGLXacYv+z/UKL3yFE1JskloAlZB30
         OKWrK+VVLvXaO0iydJOtyrher/wZ0UI1/NmZega8EDdohhiPgouf9M9yktGlCyAKbjpt
         K7i/1DBd8NWWdphoktiOpdJiVoDiUSkLCIaUkdf50nCbtXeWusSr6WZKU1kLatlOKyg4
         bJAyWiWRCm+CM86p4rYHeT7ygrrfeYYGzAXj4hyPAKnUYnEkpeXdHyqkYrbr492cnnOY
         5+kor4vK+qXbtqe6Xy+zgIMeucVtA+pE3Mwx5WRyQ61wQZdUXGtnmxiCJCn1HUpbEKAQ
         VFLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id;
        bh=m//DR2IjF14kxMb8hIASlsdQZeTM3Tfl8MGXfPzFsvc=;
        b=QR7nbNkIroMNDiAmYY76XxG+OUFBjbKIz5vJQD9xHbq/oqBL1t7JSTsCsZmlhKQrF7
         YvmWfh19kszd4cqKpGO3qzlSK90do/tlfemKTprI4YyXGaHNyFmbHhMLivYKICfWdO5/
         xZmO8D5ck8/IrVua57CmE2oei/tqxzqi0O2reML+BFsv6ddaZT7kXhuDuh/DQqgW3+Q8
         8FOisSA/twrObkVpm6w2oyBXPcyK6P2nNRSSPR1o0pv83ZAovQoTQs7mi03XlLPPNckj
         5XeVp9otaNVAglm8aveLupkgYs4m+tPopETsndKy5Xeh4OETzsTnJwRTWhYREZCBuSBI
         0yAg==
X-Gm-Message-State: AElRT7H4DOaMWTOJAGFR4ua5xrYjiimkYQZ/R+jaNJzu9e3sWOOpkgn+
        liOl4k/gHtm7+Snmy15rdOw=
X-Received: by 2002:a19:e511:: with SMTP id c17-v6mr17944742lfh.106.1521736610632;
        Thu, 22 Mar 2018 09:36:50 -0700 (PDT)
Received: from crasher.ptsecurity.ru ([31.44.93.25])
        by smtp.gmail.com with ESMTPSA id q66sm1016261ljq.75.2018.03.22.09.36.48
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Thu, 22 Mar 2018 09:36:49 -0700 (PDT)
From:   Ilya Smith <blackzert@gmail.com>
To:     rth@twiddle.net, ink@jurassic.park.msu.ru, mattst88@gmail.com,
        vgupta@synopsys.com, linux@armlinux.org.uk, tony.luck@intel.com,
        fenghua.yu@intel.com, jhogan@kernel.org, ralf@linux-mips.org,
        jejb@parisc-linux.org, deller@gmx.de, benh@kernel.crashing.org,
        paulus@samba.org, mpe@ellerman.id.au, schwidefsky@de.ibm.com,
        heiko.carstens@de.ibm.com, ysato@users.sourceforge.jp,
        dalias@libc.org, davem@davemloft.net, tglx@linutronix.de,
        mingo@redhat.com, hpa@zytor.com, x86@kernel.org,
        nyc@holomorphy.com, viro@zeniv.linux.org.uk, arnd@arndb.de,
        blackzert@gmail.com, gregkh@linuxfoundation.org,
        deepa.kernel@gmail.com, mhocko@suse.com, hughd@google.com,
        kstewart@linuxfoundation.org, pombredanne@nexb.com,
        akpm@linux-foundation.org, steve.capper@arm.com,
        punit.agrawal@arm.com, paul.burton@mips.com,
        aneesh.kumar@linux.vnet.ibm.com, npiggin@gmail.com,
        keescook@chromium.org, bhsharma@redhat.com, riel@redhat.com,
        nitin.m.gupta@oracle.com, kirill.shutemov@linux.intel.com,
        dan.j.williams@intel.com, jack@suse.cz,
        ross.zwisler@linux.intel.com, jglisse@redhat.com,
        willy@infradead.org, aarcange@redhat.com, oleg@redhat.com,
        linux-alpha@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-snps-arc@lists.infradead.org,
        linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
        linux-metag@vger.kernel.org, linux-mips@linux-mips.org,
        linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        linux-s390@vger.kernel.org, linux-sh@vger.kernel.org,
        sparclinux@vger.kernel.org, linux-mm@kvack.org
Subject: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.
Date:   Thu, 22 Mar 2018 19:36:36 +0300
Message-Id: <1521736598-12812-1-git-send-email-blackzert@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Current implementation doesn't randomize address returned by mmap.
All the entropy ends with choosing mmap_base_addr at the process
creation. After that mmap build very predictable layout of address
space. It allows to bypass ASLR in many cases. This patch make
randomization of address on any mmap call.

---
v2: Changed the way how gap was chosen. Now we don't get all possible
gaps. Random address generated and used as a tree walking direction.
Tree walked with backtracking till suitable gap will be found.
When the gap was found, address randomly shifted from next vma start.

The vm_unmapped_area_info structure was extended with new field random_shift
what might be used to set arch-depended limit on shift to next vma start.
In case of x86-64 architecture this shift is 256 pages for 32 bit applications
and 0x1000000 pages for 64 bit.

To get the entropy pseudo-random is used. This is because on Intel x86-64
processors instruction RDRAND works very slow if buffer is consumed -
after about 10000 iterations.

This feature could be enabled by setting randomize_va_space with 4.

---
Performance:
After applying this patch single mmap took about 7% longer according to
following test:

    before = rdtsc();
    addr = mmap(0, SIZE, PROT_READ | PROT_WRITE, 
                 MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    after = rdtsc();
    diff = after - before;
    munmap(addr, SIZE)
    ...
    unsigned long long total = 0;
    for(int i = 0; i < count; ++i) {
        total += one_iteration();
    }
    printf("%lld\n", total);

Time is consumed by div instruction in computation of the address.

make kernel:
echo 2 > /proc/sys/kernel/randomize_va_space 
make mrproper && make defconfig && time make 
real    11m9.925s
user    10m17.829s
sys 1m4.969s

echo 4 > /proc/sys/kernel/randomize_va_space 
make mrproper && make defconfig && time make 
real    11m12.806s
user    10m18.305s
sys 1m4.281s


Ilya Smith (2):
  Randomization of address chosen by mmap.
  Architecture defined limit on memory region random shift.

 arch/alpha/kernel/osf_sys.c         |   1 +
 arch/arc/mm/mmap.c                  |   1 +
 arch/arm/mm/mmap.c                  |   2 +
 arch/frv/mm/elf-fdpic.c             |   1 +
 arch/ia64/kernel/sys_ia64.c         |   1 +
 arch/ia64/mm/hugetlbpage.c          |   1 +
 arch/metag/mm/hugetlbpage.c         |   1 +
 arch/mips/mm/mmap.c                 |   1 +
 arch/parisc/kernel/sys_parisc.c     |   2 +
 arch/powerpc/mm/hugetlbpage-radix.c |   1 +
 arch/powerpc/mm/mmap.c              |   2 +
 arch/powerpc/mm/slice.c             |   2 +
 arch/s390/mm/mmap.c                 |   2 +
 arch/sh/mm/mmap.c                   |   2 +
 arch/sparc/kernel/sys_sparc_32.c    |   1 +
 arch/sparc/kernel/sys_sparc_64.c    |   2 +
 arch/sparc/mm/hugetlbpage.c         |   2 +
 arch/tile/mm/hugetlbpage.c          |   2 +
 arch/x86/kernel/sys_x86_64.c        |   4 +
 arch/x86/mm/hugetlbpage.c           |   4 +
 fs/hugetlbfs/inode.c                |   1 +
 include/linux/mm.h                  |  17 ++--
 mm/mmap.c                           | 165 ++++++++++++++++++++++++++++++++++++
 23 files changed, 213 insertions(+), 5 deletions(-)

-- 
2.7.4