Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp649223pxu;
        Thu, 3 Dec 2020 09:15:25 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzBUaT99GPRVh3loT0FI7NabWWMpJ/jXe0dmNDu/KUVwVhka8F65ZfPVcccoNe/s/ezo2Eo
X-Received: by 2002:a17:906:e212:: with SMTP id gf18mr3450963ejb.551.1607015725648;
        Thu, 03 Dec 2020 09:15:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607015725; cv=none;
        d=google.com; s=arc-20160816;
        b=mYFcan/0PslEVvjpyFjQj9v8fwBbjYJtym3gwiiDicMWfk97VsQS3252M+2qonB/98
         gCpEaHdTitWtuS/WgY/hH4X6sZ/sK3dTVbtLZvCfh/iId15Dj71jQ2B1ArFvV3HxKatK
         l/x3kW3BTxNrOAevPIBFb+YenPes69EQZvrFOuGlfx5kvlu5UfzQFui8L0VwfHrIvWVP
         4KhRwFlkI8Km9fX8JNuayrm+PBkf6QUFZYXu+ePlOY3x1BtJAf6IsTLHT7HZUqhbKbLi
         EoGLrTf7wR6X+Ik7zAZINo+f8ACtltYNxTIQhnoct5fghoz1nq7WywX5RhppLcl3QNkx
         Ugag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:in-reply-to:cc:references:message-id:date
         :subject:mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4wqJAr+3mpm/N6KJzqVQL+ect217rAtwLlAfBe3bNfU=;
        b=xnTXgmtsh72Nv8FHfiYy60hnt6Kw/aPTbI5FkcLUfF42kNOy7rC1QVEBn7dQRTlUmm
         hVTU7bvwGVTJRw7Nu8b8Cy7AoUykYqirchCpO59gXaxzINPSe096ayCRiPQlaJgL1xQ8
         0XKv+l96JUucC8GahbXAslJkT5tXnpJYINMGHvSDKcdXQf1TBKznx255Y/K83JIudeTd
         iwxankDTcZYx03J6yWMoOsuqmM1gFpS6ZwMky27bElSc8mlS7S9vIe7+maCvaOnwdu1g
         KGCGlfBcGZvyFRsgGqeZVM7RgCxTG7i7G4CGjRIh2Mqm/RS6mHjG3ukTUY7WVKWtly3b
         lOLw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=RUpr5VZU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k1si1213608edf.460.2020.12.03.09.15.01;
        Thu, 03 Dec 2020 09:15:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=RUpr5VZU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727072AbgLCRLQ (ORCPT <rfc822;proy.cse@gmail.com> + 99 others);
        Thu, 3 Dec 2020 12:11:16 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37004 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726339AbgLCRLP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Dec 2020 12:11:15 -0500
Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BD42C061A4F
        for <linux-kernel@vger.kernel.org>; Thu,  3 Dec 2020 09:10:35 -0800 (PST)
Received: by mail-pl1-x642.google.com with SMTP id j1so1501605pld.3
        for <linux-kernel@vger.kernel.org>; Thu, 03 Dec 2020 09:10:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=content-transfer-encoding:from:mime-version:subject:date:message-id
         :references:cc:in-reply-to:to;
        bh=4wqJAr+3mpm/N6KJzqVQL+ect217rAtwLlAfBe3bNfU=;
        b=RUpr5VZUHli+Ntwv2HIrEYZtLYBEEv6FNALrE6RP7YH8Rp64IWqY/Vt5nTVO9/Iym8
         6UXCb8g35dfhhQFS8+DQ2eKMD8FGry9BPw9O3lYqILTj64tncHFMp5EcV8SaG6aFz49l
         byMvlQXxbusISO7b71ScAE29NClhYK7CA122Q4v/QVVsMt4NR12xG8+4gZ/emDJmzaix
         kFj4kUN38sJx0N5x4piMmqy3Yonk+pjZRyfppCtCkyz/ikxSHPNQYrE+RYDgsVSvQlaz
         DtCKsv6LIBK9eiWignxuAGpCEiTdoaRqh3MejdDxZ4Z536dfz3uJIM/ldSdwQsO2RNcd
         VaWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:content-transfer-encoding:from:mime-version
         :subject:date:message-id:references:cc:in-reply-to:to;
        bh=4wqJAr+3mpm/N6KJzqVQL+ect217rAtwLlAfBe3bNfU=;
        b=nvb+w5j77v9eRFnwIa9WlHc6LnQkk6au4NFlnFJCjsikP2OrHfr+/bgZRUKZV95w7z
         Jn9IeoZ8KyWC8J4Wa99h0mm9sZrOIklMXebOJmfPSLApbV9NpMex6iUJsSLUMdXkrowU
         OQcfEuFAF17TH2OXhQYOd8EiPPnBbTiO8ga9TqeeuXpYcuOPYwybf1LNBo1Tf1/GhR32
         FuemlxWhhVBlX3aHaYvM0+sDBVmDAYVCKYOG/DDS1sNLoMtETHY1VBwC5/AnUslBgrLN
         3aHCoAR05sGhLJci3RfgiJvgQkkMVUErVhGVZ7AwgnYn7Rz0HEm7SwR2xZuWOsxKbQzz
         dtPQ==
X-Gm-Message-State: AOAM531kl+TxuBaUf66op9F1hyqjq8tGZnTgLq7yxiQlGcnuM/FBy2A7
        Ht/s7OJ+K9lKS73+APij0Ecs6OtdIEsI6A==
X-Received: by 2002:a17:90b:117:: with SMTP id p23mr71511pjz.111.1607015434516;
        Thu, 03 Dec 2020 09:10:34 -0800 (PST)
Received: from ?IPv6:2600:1010:b02c:6432:59d6:b4ed:32aa:4315? ([2600:1010:b02c:6432:59d6:b4ed:32aa:4315])
        by smtp.gmail.com with ESMTPSA id n127sm2369930pfd.143.2020.12.03.09.10.33
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 03 Dec 2020 09:10:33 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From:   Andy Lutomirski <luto@amacapital.net>
Mime-Version: 1.0 (1.0)
Subject: Re: [PATCH v5] mm: Optional full ASLR for mmap(), mremap(), vdso and stack
Date:   Thu, 3 Dec 2020 09:10:32 -0800
Message-Id: <05D72EA3-4862-4D80-82F5-9369834C3461@amacapital.net>
References: <e8c458fe-073b-2c4d-4d80-3637041c1485@gmail.com>
Cc:     Florian Weimer <fweimer@redhat.com>,
        linux-hardening@vger.kernel.org, akpm@linux-foundation.org,
        linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Matthew Wilcox <willy@infradead.org>,
        Mike Rapoport <rppt@kernel.org>,
        Linux API <linux-api@vger.kernel.org>
In-Reply-To: <e8c458fe-073b-2c4d-4d80-3637041c1485@gmail.com>
To:     Topi Miettinen <toiwoton@gmail.com>
X-Mailer: iPhone Mail (18B121)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> On Dec 3, 2020, at 4:06 AM, Topi Miettinen <toiwoton@gmail.com> wrote:
>=20
> =EF=BB=BFOn 3.12.2020 11.47, Florian Weimer wrote:
>> * Topi Miettinen:
>>> +3   Additionally enable full randomization of memory mappings created
>>> +    with mmap(NULL, ...). With 2, the base of the VMA used for such
>>> +    mappings is random, but the mappings are created in predictable
>>> +    places within the VMA and in sequential order. With 3, new VMAs
>>> +    are created to fully randomize the mappings.
>>> +
>>> +    Also mremap(..., MREMAP_MAYMOVE) will move the mappings even if
>>> +    not necessary and the location of stack and vdso are also
>>> +    randomized.
>>> +
>>> +    On 32 bit systems this may cause problems due to increased VM
>>> +    fragmentation if the address space gets crowded.
>> Isn't this a bit of an understatement?  I think you'll have to restrict
>> this randomization to a subregion of the entire address space, otherwise
>> the reduction in maximum mapping size due to fragmentation will be a
>> problem on 64-bit architectures as well (which generally do not support
>> the full 64 bits for user-space addresses).
>=20
> Restricting randomization would reduce the address space layout randomizat=
ion and make this less useful. There's 48 or 56 bits, which translate to 128=
TB and 64PB of VM for user applications. Is it really possible to build toda=
y (or in near future) a system, which would contain so much RAM that such fr=
agmentation could realistically happen? Perhaps also in a special case where=
 lots of 1GB huge pages are necessary? Maybe in those cases you shouldn't us=
e randomize_va_space=3D3. Or perhaps there could be randomize_va_space=3D3 w=
hich does something, and randomize_va_space=3D4 for those who want maximum r=
andomization.

If you want a 4GB allocation to succeed, you can only divide the address spa=
ce into 32k fragments.  Or, a little more precisely, if you want a randomly s=
elected 4GB region to be empty, any other allocation has a 1/32k chance of b=
eing in the way.  (Rough numbers =E2=80=94 I=E2=80=99m ignoring effects of t=
he beginning and end of the address space, and I=E2=80=99m ignoring the size=
 of a potential conflicting allocation.). This sounds good, except that a pr=
ogram could easily make a whole bunch of tiny allocations that get merged in=
 current kernels but wouldn=E2=80=99t with your scheme.

So maybe this is okay, but it=E2=80=99s not likely to be a good default.

>=20
>>> +    On all systems, it will reduce performance and increase memory
>>> +    usage due to less efficient use of page tables and inability to
>>> +    merge adjacent VMAs with compatible attributes. In the worst case,
>>> +    additional page table entries of up to 4 pages are created for
>>> +    each mapping, so with small mappings there's considerable penalty.
>> The number 4 is architecture-specific, right?
>=20
> Yes, I only know x86_64. Actually it could have 5 level page tables. I'll f=
ix this in next version.
>=20
> -Topi