Received: by 10.213.65.68 with SMTP id h4csp80690imn; Tue, 27 Mar 2018 17:03:00 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/g86yXAERARxPHRJiRy4+onfN/Bcf1n9W3ZbXXU8Qi+Jayla0Cvpi139htdKwsJOdkuMTe X-Received: by 10.99.142.201 with SMTP id k192mr919807pge.278.1522195380180; Tue, 27 Mar 2018 17:03:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522195380; cv=none; d=google.com; s=arc-20160816; b=xy11UR/zaTMYjudfSXgu40jscjUfy06pYRqKYyJw3dzx8ylemUuBtM0ZkhBWcfpMqi tGXwtc/Acyv8hPZNX24w0jc91SzsCUZBtpA3qCdBFpQgMTQASqYTlrhl/thjdQPg4vQ6 Yp98Nkf8taegxWvSypdxu0iV5nT+cWL2m8Os7SDmQCCgdOZlKZ2HvArmDuvojkR664v0 LLV++VEtXoKONcb5OgB+thTTTMTJNcW3H6GA8twcsT66wu5zL1Fb3Yh82zwfc12XTKYv Dmnhol9v1VG8BSbxNo31HlCqxL4ITYhm3bbrzC5In+zPAbPd+4LhtxhU1zq/zqYVL1Hd rodg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:to:from:date :arc-authentication-results; bh=RuXjzbAoJOpFSvaQrOaKCSME79nh/qehfYprtUNcN+0=; b=koL4wNK+AX4kFi58KoUWk8i2myBG0MiRkIlLcup/89OLWir3cHVO3+dSqAWfJKeKFg WmTj/Q4e6Jzq0rn0YwIgcVj4jlyd8kmaLvjG3w7El/J7u+6ubCBf+Bw60KOn5YraE50O cDdpFBXeNsse20OyZmzKFslvJR4le/zoLiYuyKPoZjBMUwEvOJ2kP/AhsRNlb/z05Ce1 lmYYMIqcbshlchlmsvYSrz2n+qt0dDnLLhQkiWDOcInpniyDCKCJiFbu+++F+DiWuXO0 Cxily9h9Cv0RcMno94Ql2CIfBV+O24lcBzY1Xdw14BVfQiymUZFZZ66/tKC2AuJ8Aepv aMJw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o69si1739953pfj.329.2018.03.27.17.02.45; Tue, 27 Mar 2018 17:03:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752633AbeC1ABv (ORCPT + 99 others); Tue, 27 Mar 2018 20:01:51 -0400 Received: from 216-12-86-13.cv.mvl.ntelos.net ([216.12.86.13]:33436 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752121AbeC1ABr (ORCPT ); Tue, 27 Mar 2018 20:01:47 -0400 Received: from dalias by brightrain.aerifal.cx with local (Exim 3.15 #2) id 1f0yUO-0002bn-00; Tue, 27 Mar 2018 23:58:52 +0000 Date: Tue, 27 Mar 2018 19:58:52 -0400 From: Rich Felker To: "Theodore Y. Ts'o" , Ilya Smith , Michal Hocko , Matthew Wilcox , rth@twiddle.net, ink@jurassic.park.msu.ru, mattst88@gmail.com, vgupta@synopsys.com, linux@armlinux.org.uk, tony.luck@intel.com, fenghua.yu@intel.com, ralf@linux-mips.org, jejb@parisc-linux.org, Helge Deller , benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, ysato@users.sourceforge.jp, davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, nyc@holomorphy.com, viro@zeniv.linux.org.uk, arnd@arndb.de, gregkh@linuxfoundation.org, deepa.kernel@gmail.com, Hugh Dickins , kstewart@linuxfoundation.org, pombredanne@nexb.com, Andrew Morton , steve.capper@arm.com, punit.agrawal@arm.com, aneesh.kumar@linux.vnet.ibm.com, npiggin@gmail.com, Kees Cook , bhsharma@redhat.com, riel@redhat.com, nitin.m.gupta@oracle.com, "Kirill A. Shutemov" , Dan Williams , Jan Kara , ross.zwisler@linux.intel.com, Jerome Glisse , Andrea Arcangeli , Oleg Nesterov , linux-alpha@vger.kernel.org, LKML , linux-snps-arc@lists.infradead.org, linux-ia64@vger.kernel.org, linux-metag@vger.kernel.org, linux-mips@linux-mips.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, sparclinux@vger.kernel.org, Linux-MM Subject: Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap. Message-ID: <20180327235852.GL1436@brightrain.aerifal.cx> References: <1521736598-12812-1-git-send-email-blackzert@gmail.com> <20180323124806.GA5624@bombadil.infradead.org> <651E0DB6-4507-4DA1-AD46-9C26ED9792A8@gmail.com> <20180326084650.GC5652@dhcp22.suse.cz> <01A133F4-27DF-4AE2-80D6-B0368BF758CD@gmail.com> <20180327072432.GY5652@dhcp22.suse.cz> <0549F29C-12FC-4401-9E85-A430BC11DA78@gmail.com> <20180327221635.GA3790@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180327221635.GA3790@thunk.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 27, 2018 at 06:16:35PM -0400, Theodore Y. Ts'o wrote: > On Tue, Mar 27, 2018 at 04:51:08PM +0300, Ilya Smith wrote: > > > /dev/[u]random is not sufficient? > > > > Using /dev/[u]random makes 3 syscalls - open, read, close. This is a performance > > issue. > > You may want to take a look at the getrandom(2) system call, which is > the recommended way getting secure random numbers from the kernel. Yes, while opening /dev/urandom is not acceptable due to needing an fd, getrandom and existing fallbacks for it have this covered if needed. > > > Well, I am pretty sure userspace can implement proper free ranges > > > tracking… > > > > I think we need to know what libc developers will say on implementing ASLR in > > user-mode. I am pretty sure they will say ‘nether’ or ‘some-day’. And problem > > of ASLR will stay forever. > > Why can't you send patches to the libc developers? I can tell you right now that any patch submitted for musl that depended on trying to duplicate knowledge of the entire virtual address space layout in userspace as part of mmap would be rejected, and I would recommend glibc do the same. Not only does it vastly increase complexity; it also has all sorts of failure modes (fd exhastion, etc.) which would either introduce new and unwanted ways for mmap to fail, or would force fallback to the normal (no extra randomization) strategy under conditions an attacker could potentially control, defeating the whole purpose. It would also potentially make it easier for an attacker to examine the vm layout for attacks, since it would be recorded in userspace. There's also the issue of preserving AS-safety of mmap. POSIX does not actually require mmap to be AS-safe, and on musl munmap is not fully AS-safe anyway because of some obscure issues it compensates for, but we may be able to make it AS-safe (this is a low-priority open issue). If mmap were manipulating data structures representing the vm space in userspace, though, the only way to make it anywhere near AS-safe would be to block all signals and take a lock every time mmap or munmap is called. This would significantly increase the cost of each call, especially now that meltdown/spectre mitigations have greatly increased the overhead of each syscall. Overall, asking userspace to take a lead role in management of process vm space is a radical change in the split of what user and kernel are responsible for, and it really does not make sense as part of a dubious hardening measure. Something this big would need to be really well-motivated. Rich