Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1394352pxk; Fri, 25 Sep 2020 13:39:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzMHWLsZ3xPzJCNn+FqCrs2hKCwGURHxr9mR+6fIXi/bPoh9ITjArd8w0sIVvFZJIC5ADw X-Received: by 2002:aa7:d4d2:: with SMTP id t18mr3229252edr.55.1601066359639; Fri, 25 Sep 2020 13:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601066359; cv=none; d=google.com; s=arc-20160816; b=Kb3KoP9ZI/JiHKIgcGc3216KjS6gYyzLaDH2o91Cd08KhLtsreuNVdA6sOxZ+gE6ll JG0/s5LU6Xz4tZrextRiir7s4ejehRrNuxuOkafqZy23j6D+0JLEzhbzzhX9fXtfVJoo 73V+VfNew57JcacRvr1Hs5JRZ7xl7XRs9ZB6zar34fd0L02OVMPLZHTQwMNWYRzg94Kq EZ3sApykWqIhvN/ypexfQQd19PHweGkxqOc9FgA3AKKeNP+E+4cy7YSkWPZLHS/L3bQT 2INIiA3zaue3vKih/SfRa/03RKKFNVOmF1x7YXgvlkdUwGc7UdJ5HfIkatitxAJDqij/ 3bTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=WZbwT2IHsLPVib9LWqjiQ9VL5NAX2HL7HRcoYiVNWkw=; b=ZoqswPOq6/W2LFFuudAalbSGASCU2MpQ59+TZ2QDKMfpLOGHJsoCHzIq1h+aI1o5Wp Yzfwxp5pFRwG38Nm7NNHjrsRCR2ZjnHaiMBuo+M5Pc+deP7f6Cl8aDKUcOSqTwZow4Vv hnGSQSW+TzujzCWkB5LoZq1hRwQVapvFWxMPP8ZS3nntK7LD0l5b9Kk0NVVvYRPlP/Kn cJzSnhGV86qG0evPrm47XEQIP14G1rNcgs7Ukja24fJPMgHkzQkiLVIppZs8H5dTyasr Hd9Z3K68auIBTRcn7d3jCpZi1aW3faQHCKy10QQLZkr1BjQ+GGER4CRP6bNfV6gGbCgB iOVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qNb+YYrX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v24si2546507eju.655.2020.09.25.13.38.56; Fri, 25 Sep 2020 13:39:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qNb+YYrX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727243AbgIYUhw (ORCPT + 99 others); Fri, 25 Sep 2020 16:37:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:47826 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729096AbgIYUhN (ORCPT ); Fri, 25 Sep 2020 16:37:13 -0400 Received: from mail-oo1-f53.google.com (mail-oo1-f53.google.com [209.85.161.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD50822211 for ; Fri, 25 Sep 2020 20:37:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601066232; bh=WZbwT2IHsLPVib9LWqjiQ9VL5NAX2HL7HRcoYiVNWkw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=qNb+YYrX1jzXjp9FjsAl2BzlcqEssgXd1+vfLdR4Xy44/ZcEKjpTebtcmPhIR1H14 qDu+TTbe/P+cWMxj4asNU+S7SegNTtpQqbd6Hlro7NTGLUHUaDM1UjbykZJgEMz5f3 AEWddnez0BlRcuPJXCE4x3QDSn8sKiuW2OWoAzXo= Received: by mail-oo1-f53.google.com with SMTP id w25so1064500oos.10 for ; Fri, 25 Sep 2020 13:37:12 -0700 (PDT) X-Gm-Message-State: AOAM531S0NtHkGxAeAulVH37Zo8Jmxn4XgtP6MsRyz4JU905VrUqdqFK tGd9tvEBpuAdLZrKktbJFRACGxe20kJcw7rrV8U= X-Received: by 2002:a4a:4910:: with SMTP id z16mr2063269ooa.41.1601066231895; Fri, 25 Sep 2020 13:37:11 -0700 (PDT) MIME-Version: 1.0 References: <202009251301.A1FD183582@keescook> In-Reply-To: <202009251301.A1FD183582@keescook> From: Ard Biesheuvel Date: Fri, 25 Sep 2020 22:37:01 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14 To: Kees Cook Cc: Pintu Agarwal , Mark Rutland , Arnd Bergmann , Ard Biesheuvel , Marc Zyngier , Dave Martin , Kernelnewbies , Russell King - ARM Linux , open list , Tony Lindgren , matt@codeblueprint.co.uk, nico@linaro.org, Thomas Garnier , "moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 25 Sep 2020 at 22:28, Kees Cook wrote: > > On Fri, Sep 25, 2020 at 08:33:59PM +0530, Pintu Agarwal wrote: > > This is regarding the KASLR feature support on ARM for the kernel > > version 4.9 and 4.14. > > > > Is KASLR supported on ARM-32 Linux 4.9 and above ? > > Sorry, this feature did not yet land in upstream: > https://github.com/KSPP/linux/issues/3 > > Here was the earlier effort: > https://lore.kernel.org/kernel-hardening/20170814125411.22604-1-ard.biesheuvel@linaro.org/ > > > Is it dependent on CONFIG_RANDOMIZE_BASE or > > CONFIG_RANDOMIZE_BASE is what is used on other architectures to control > the feature. > > > /proc/sys/kernel/randomize_va_space ? > > Is there any relation between these two? > > No, the latter is about userspace addresses. > > > Is the changing kernel symbols (in every boot), only possible if KASLR > > is enabled, or there is another way it can happen? > > I think you meant kernel symbol addresses (not the symbols themselves). > But yes, I wouldn't expect the addresses to move if you didn't either > rebuild the kernel or had something else moving the kernel at boot (i.e. > the boot loader). > > > I have these queries because, > > In one of the arm-32 devices with Kernel 4.14, I observed that > > CONFIG_RANDOMIZE_BASE is not available. > > But /proc/sys/kernel/randomize_va_space is set to 2. > > However, I also observed that symbol addresses are changing in every boot. > > > > 1st boot cycle: > > [root ~]# cat /proc/kallsyms | grep "sys_open" > > a5b4de92 T sys_open > > [root@sa515m ~]# > > > > 2nd boot cycle: > > [root ~]# cat /proc/kallsyms | grep "sys_open" > > f546ed66 T sys_open > > > > So, I am wondering how this is possible without KASLR > > (CONFIG_RANDOMIZE_BASE) support in Kernel ? > Those addresses were obfuscated by kptr_restrict