Received: by 10.213.65.68 with SMTP id h4csp564252imn; Fri, 23 Mar 2018 10:26:36 -0700 (PDT) X-Google-Smtp-Source: AG47ELtFZviJOgwWUosGccdA70CEzADPLloGk7HeghzlBglVtS013L2YPXxxhaUCsRNxON/5Qb6g X-Received: by 2002:a17:902:9045:: with SMTP id w5-v6mr1209906plz.104.1521825995985; Fri, 23 Mar 2018 10:26:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521825995; cv=none; d=google.com; s=arc-20160816; b=Luyg16zHD9VHxif0XSYx9VVoaBAVu/oPCK4wFPthbPFnCIgIri7b9eQuaECIB4HZAv r+3qBXmBqlevTS0Y8E+4c/KmYG+K3kVWM/YHaZfSNDepd18x8oG6UoXauuaEvl+Dir/K LQH5WKpAcTZ/nYBQ47cWS03NYFF2MEyWso7LP0JyxPikCa2F0P/Y/rtP7CUytW6gaL5a 5jFu0GafUKqu16D0hPrEJTt8W2HE3pra2dIeGKq6AkX6RfIXczcjZ22vp6LXrlupPxgY SQLP7JPOaNbfQvcCBxzE5XNyoB62ukHc/bg91FDeqyd8SB+G+OgSA6ij8QIqVZx7mH5f /iJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=+OZYzmT42h5SnWF0OczzPVpdipxT1C1TADxUtBA1ByE=; b=wM3wQy1Cyg+kQXlZFZGLbE1UiGXyIcxsZ+UsI6sgx5C6g2OOZxai+QO/HDmqWbIfTX I8i2NMtdfso3W5Jzem+aT1SoDWKz6wYVmKoffqI9GsAYy9b2ek4l0X1z/Lhp07VMYNIg eHEdvJgNojUzDXm59e+yy4QoDveQwAZ2JNOCwN7iSTeDCa75wByE/Wa/L1rMSHG5Vkxd EnNODqCdEU134s9RhS9wi/q9LunTWJ/sunTtyBUMvnSgxgChZoffkUVu7AprcC2oa2Ce CWlMXQE5RsGCgen2gDcKBQkk6YG40h+nEgXVowTlR1qoZo4nLWeC/WHshRN4LszcNdx2 chcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OMlmcj8c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34-v6si8828441pla.319.2018.03.23.10.26.21; Fri, 23 Mar 2018 10:26:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OMlmcj8c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751986AbeCWRZZ (ORCPT + 99 others); Fri, 23 Mar 2018 13:25:25 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:34538 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751388AbeCWRZV (ORCPT ); Fri, 23 Mar 2018 13:25:21 -0400 Received: by mail-lf0-f67.google.com with SMTP id c78-v6so14717063lfh.1; Fri, 23 Mar 2018 10:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+OZYzmT42h5SnWF0OczzPVpdipxT1C1TADxUtBA1ByE=; b=OMlmcj8clO1OhtW8TlROXMtuSBQs3b4vYoHzLtsQSLQDhAzTFgSd1w0fWr8joiDzB1 BrOebu8owGbjefmKhhGLmhtadNI+jqT6C3FHwwI4hdszSJT6+AZUdctz5/GY7HnAMxEP PzTPeHlb+xsHuDV03Di0vInH+29WPFkbJxrbmPjPx5ZrrZk1f9RpTdqr7zl1LalYD+AQ FmwBsIVuZXGrmaAXuzjF044CHD8t4MXd7Rfw/8gAxRPJBNHMbSUKylxwpDuK7s/ONLqz B3cDGGcmlWF/6wrgLqSuWV+FW9B/nj4/3iLdUbWuelWpSO81f12q4iTNVi/AlMZ51W3g MTDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+OZYzmT42h5SnWF0OczzPVpdipxT1C1TADxUtBA1ByE=; b=Px/hFnJlDjiHRFK6m/eWuLkkNO4cAPlwNzm1yMC2UZMdFlNHkZbOxuywyCAEZFZ1BV +j8vnkeT1BdY1QKk13qBSFQP04gZSDMQ63v2cx192kl3kbJFTJMhY2locQ3IPE9sllqW uvXvU9lQAM6O7RtAO8RbuJ5fXTVvqbEhpHih+Z5ZoEP0DRTjmW2+QF+3b3HY4RwxRhsX qkwelA9QeXbZU7W6R/Vk5Bukg6HLWAhUT4Cgj+RK/P9NwEGpx5n1bLZRgqt8EnquEwM8 0RR6aZHOdvZEjgxE4QrGjhFT36fmX77wceHuIwYMAlJdim16xzsHq0ndidiH/seIeAcx 2I5w== X-Gm-Message-State: AElRT7G4FysLUo23ZV12ntQ+ek8i4yb2L+WeK0P61nqIFJgMR6ssP25o meFgjWljmfALeTQPPC30TZA= X-Received: by 10.46.157.214 with SMTP id x22mr19381421ljj.135.1521825918360; Fri, 23 Mar 2018 10:25:18 -0700 (PDT) Received: from [192.168.1.3] (broadband-188-255-70-164.moscow.rt.ru. [188.255.70.164]) by smtp.gmail.com with ESMTPSA id d73-v6sm2302283lfl.77.2018.03.23.10.25.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Mar 2018 10:25:17 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. From: Ilya Smith In-Reply-To: <20180322135729.dbfd3575819c92c0f88c5c21@linux-foundation.org> Date: Fri, 23 Mar 2018 20:25:15 +0300 Cc: rth@twiddle.net, ink@jurassic.park.msu.ru, mattst88@gmail.com, vgupta@synopsys.com, linux@armlinux.org.uk, tony.luck@intel.com, fenghua.yu@intel.com, jhogan@kernel.org, ralf@linux-mips.org, jejb@parisc-linux.org, Helge Deller , benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, ysato@users.sourceforge.jp, dalias@libc.org, davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, nyc@holomorphy.com, viro@zeniv.linux.org.uk, arnd@arndb.de, gregkh@linuxfoundation.org, deepa.kernel@gmail.com, mhocko@suse.com, hughd@google.com, kstewart@linuxfoundation.org, pombredanne@nexb.com, steve.capper@arm.com, punit.agrawal@arm.com, paul.burton@mips.com, aneesh.kumar@linux.vnet.ibm.com, npiggin@gmail.com, keescook@chromium.org, bhsharma@redhat.com, riel@redhat.com, nitin.m.gupta@oracle.com, kirill.shutemov@linux.intel.com, dan.j.williams@intel.com, jack@suse.cz, ross.zwisler@linux.intel.com, jglisse@redhat.com, willy@infradead.org, aarcange@redhat.com, oleg@redhat.com, linux-alpha@vger.kernel.org, linux-kernel@vger.kernel.org, linux-snps-arc@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org, linux-metag@vger.kernel.org, linux-mips@linux-mips.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, sparclinux@vger.kernel.org, linux-mm@kvack.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <1521736598-12812-1-git-send-email-blackzert@gmail.com> <20180322135729.dbfd3575819c92c0f88c5c21@linux-foundation.org> To: Andrew Morton X-Mailer: Apple Mail (2.3445.5.20) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Andrew Thanks for reading this patch. > On 22 Mar 2018, at 23:57, Andrew Morton = wrote: >=20 > On Thu, 22 Mar 2018 19:36:36 +0300 Ilya Smith = wrote: >=20 >> Current implementation doesn't randomize address returned by mmap. >> All the entropy ends with choosing mmap_base_addr at the process >> creation. After that mmap build very predictable layout of address >> space. It allows to bypass ASLR in many cases. >=20 > Perhaps some more effort on the problem description would help. *Are* > people predicting layouts at present? What problems does this cause?=20= > How are they doing this and are there other approaches to solving the > problem? >=20 Sorry, I=E2=80=99ve lost it in first version. In short - memory layout = could be easily=20 repaired by single leakage. Also any Out of Bounds error may easily be=20= exploited according to current implementation. All because mmap choose = address=20 just before previously allocated segment. You can read more about it = here:=20 http://www.openwall.com/lists/oss-security/2018/02/27/5 Some test are available here https://github.com/blackzert/aslur.=20 To solve the problem Kernel should randomize address on any mmap so attacker could never easily gain needed addresses. > Mainly: what value does this patchset have to our users? This reader > is unable to determine that from the information which you have > provided. Full details, please. The value of this patch is to decrease successful rate of exploitation vulnerable applications.These could be either remote or local vectors.