Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1445085pxu; Thu, 8 Oct 2020 11:37:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9SVfTuC1IC+KhulC9xg8j3pCqpxQk1267JeD5eWcoEZhMuF9YMQkzFsI+Edin776CHf3x X-Received: by 2002:aa7:c915:: with SMTP id b21mr10488415edt.25.1602182248406; Thu, 08 Oct 2020 11:37:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602182248; cv=none; d=google.com; s=arc-20160816; b=KFb6lvcPmGqPL144h1yvPlh0aLsqZ9BRG2fNPnikGFRCB+EajA8EwECnAbPEpo4Rrc 8YLa38zw8qg9OrMNiLznVOnWqgrnIEfOT+ipa2F9rV5L6S2spVeU9lCxsKsyZKdVS7OD U4rhzH12xQahcueYi9CnWHPPhmjGFPiRX5F9uh1i/1HfGxKrV9msEL1Dm04pnpl19fXs PvbchNNCbvpFDb7zIi1YRiRz1knTnD3mEeGkwwmGapgQZuFHlX4M0Adqg4Cgqc/3NPpE pGgAEV/ISPJ77eKAoq1uIfcd6yE1AerqBblzxx0w2uYKVEVrz9rP56SKJEgRptPPceFm vaZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=MjSvq6hWT8/96s0xDFZsUEstTcT5YR2t+LBbq3YVkao=; b=MAPRMkSEtLTlNxGuXbXghTnMGLv7Y2xB2it714tXzwURQ2DhvlfMF9DjT5XAhZggNn xK8lPpQbjiI0rty3eUNjcIccPtuzxFg9bykAok4kCfw3kB5LkRhlaXZQDs40/TvMZHcf t/R5dBQII8irA0WlJtY8p3dGxOOk2u/pALYcmiqmajYaf6py7t7czlc2Xz2V66+G5BO2 9c4MrV/GCkqg7lIslGHI1SZ8stpfjOJLlCYbCb4x8BSytV4z4WikJ6fD6HVMXWkLY6T7 Pn6uhit5AIF0OAe0tD+u0+QWwk0oMnmj9UTbxUSckgOukAf1rKTF1QMK2fVKIgVcaTnE 6oQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=klLxhSd3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z13si1000988ejf.718.2020.10.08.11.37.03; Thu, 08 Oct 2020 11:37:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=klLxhSd3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731806AbgJHROV (ORCPT + 99 others); Thu, 8 Oct 2020 13:14:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731799AbgJHROV (ORCPT ); Thu, 8 Oct 2020 13:14:21 -0400 Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B43AC0613D2 for ; Thu, 8 Oct 2020 10:14:21 -0700 (PDT) Received: by mail-ed1-x541.google.com with SMTP id l16so6623135eds.3 for ; Thu, 08 Oct 2020 10:14:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MjSvq6hWT8/96s0xDFZsUEstTcT5YR2t+LBbq3YVkao=; b=klLxhSd3oAlnTsYIcjtHGEZXhchm33gVu8+7BSp8Hb2U1bPvJY+LcC8B79kTzmBMBz dtKWJgMataIg1aB0r0un6QWDh+uyjnuBYe9cCDNHvi6sFoheCWes8NdS1RNx0pEMl3g3 lodEjtS/qN+lj9ujZpYEejIQKI0tMBgcQKBc6aLcC2pN6yYoDpmicgZms4TRF2aS0YYv im6YWnuBFVCc6c8CPgDMSEe9/4GLkYonngLUcDq21g6CHt3SsdQ4lCo/FY0Zb2WwiV0T +Ix6lKC1MUkRXzn/ncyr4YBTkYUc8f14Qs1LbSB0cdAnTo1FQTRtI6pLBmGzBYcJnT1e 8qVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MjSvq6hWT8/96s0xDFZsUEstTcT5YR2t+LBbq3YVkao=; b=oFZ8d2KxAhGb/pRUJSYqbWsLmwF0MrhE5NQi/+HhHeGNS3LeHLIAlgD/yuLQD8G9xl oznxeSnFMoEn/YKJOffviNzlEtQDGaRg5no7wkHNY9kOF/Q8Et2wNBTPzBupx556HIlF 6gU+GsQZV/RLi8dCwZcHKjw589zlsGz722nxr2sC7SpLkBzF4aSooky7VE4KUwsJo1Tg GBpdSFkzIfwJY3xoLx5YolGqJasmUDVHfN9P8dHN6p/MUSFyJdys2sprCiGukeXsvbnF o2SrrrvBoAoVswL7ZsMyOungeN1H9TeqcllMec8Ke3jhSEWej23W2ndIjjBkdz1B8hPJ ZBYQ== X-Gm-Message-State: AOAM530+7mnu66aLngDDiVCoZ0CYI78IgzkUS0BiwtEyGu8Ar2tHmcvK 7YSrS5G+HZIW/B2YVaPx9jgd4mEMhg89PmADGyOS2g== X-Received: by 2002:a05:6402:b0e:: with SMTP id bm14mr10478897edb.259.1602177259365; Thu, 08 Oct 2020 10:14:19 -0700 (PDT) MIME-Version: 1.0 References: <20201008165408.38228-1-toiwoton@gmail.com> In-Reply-To: <20201008165408.38228-1-toiwoton@gmail.com> From: Jann Horn Date: Thu, 8 Oct 2020 19:13:51 +0200 Message-ID: Subject: Re: [PATCH RESEND v2] mm: Optional full ASLR for mmap() and mremap() To: Topi Miettinen Cc: linux-hardening@vger.kernel.org, Andrew Morton , Linux-MM , kernel list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 8, 2020 at 6:54 PM Topi Miettinen wrote: > Writing a new value of 3 to /proc/sys/kernel/randomize_va_space > enables full randomization of memory mappings created with mmap(NULL, > ...). With 2, the base of the VMA used for such mappings is random, > but the mappings are created in predictable places within the VMA and > in sequential order. With 3, new VMAs are created to fully randomize > the mappings. Also mremap(..., MREMAP_MAYMOVE) will move the mappings > even if not necessary. [...] > + if ((flags & MREMAP_MAYMOVE) && randomize_va_space >= 3) { > + /* > + * Caller is happy with a different address, so let's > + * move even if not necessary! > + */ > + new_addr = arch_mmap_rnd(); > + > + ret = mremap_to(addr, old_len, new_addr, new_len, > + &locked, flags, &uf, &uf_unmap_early, > + &uf_unmap); > + goto out; > + } You just pick a random number as the address, and try to place the mapping there? Won't this fail if e.g. the old address range overlaps with the new one, causing mremap_to() to bail out at "if (addr + old_len > new_addr && new_addr + new_len > addr)"? Also, on Linux, the main program stack is (currently) an expanding memory mapping that starts out being something like a couple hundred kilobytes in size. If you allocate memory too close to the main program stack, and someone then recurses deep enough to need more memory, the program will crash. It sounds like your patch will randomly make such programs crash. Also, what's your strategy in general with regards to collisions with existing mappings? Is your intention to just fall back to the classic algorithm in that case? You may want to consider whether it would be better to store information about free memory per subtree in the VMA tree, together with the maximum gap size that is already stored in each node, and then walk down the tree randomly, with the randomness weighted by free memory in the subtrees, but ignoring subtrees whose gaps are too small. And for expanding stacks, it might be a good idea for other reasons as well (locking consistency) to refactor them such that the size in the VMA tree corresponds to the maximum expansion of the stack (and if an allocation is about to fail, shrink such stack mappings).