Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp255176pxb; Fri, 5 Mar 2021 22:02:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJzA1Ymj/vML0EKBj5cAYE+hAQi0j1IqDvcaIseT7R0vZQra+FtPpqqLq8lxWYLTvVaXeml2 X-Received: by 2002:a17:907:2d89:: with SMTP id gt9mr5544629ejc.226.1615010569772; Fri, 05 Mar 2021 22:02:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615010569; cv=none; d=google.com; s=arc-20160816; b=RV3C1u63h92RPBcquj0YtbiDMzqyKhShCys0XZ8jFt4zQP6/SFolEgO3027Vae2fI9 MIh1tv3DG9Xm+57ZS1UMaRHjbSWq43NQfOPuESif0DTV5WMKpthhmxxU9uXVFV24LKY1 dlSFXhJdDJdmQkNNkIeD+pwwmL0hM3WwtKwSjf0Y4ftDiK8LgQnODcGkSpVPgOPlJpRi UvCDnwtqJCKlQMgnl0dfObHkzypzyZcrY78wQUjdzD1b/IF8gD3jZeU2nsjMrdLrbwUE LKOV5ROegJsOhvIoRYa1lzo6YeHzmepGb43iq0a7ZnJM4gsp6465Giyae5NVK4J1Wp+e PyNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=nwjJTyix+U1Kuczayf4pZyIBKt0xdJTJx53NO2UO06c=; b=S8aTLCeGU6zHISokW1zUqWAKAmcqYspw3ucV6CUsoq0E/po3se1IbUvEXvNSa56ft9 bTHUqM9xWtql35zFOybFGCoxolkiN44Qagp+bpcaVV8aozkhxzqSsh2C/hUZEmRfu2KC o+jMkSdPGxyM2f3qnoEwOVZQg5O/1OcY33/J2T6/iMUTO9v8HnmMXJ5SYin7KnucXcWf hm6E1IZeldqkTFXn3etwMPi3LR1bS/yE9C2KPh6v9K6YbXs9huuLHvF6BqBmQy56IdZ3 hkTAzh/HkR9Rz0LTZq0h8WscpiIxO8jIVF12gNEbUHIczb8cwB9JD4p61I4kw8LmONgV 8VCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Wh379e/7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t14si2720964ejr.191.2021.03.05.22.02.27; Fri, 05 Mar 2021 22:02:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Wh379e/7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229710AbhCFF5c (ORCPT + 99 others); Sat, 6 Mar 2021 00:57:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35436 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229628AbhCFF5X (ORCPT ); Sat, 6 Mar 2021 00:57:23 -0500 Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 128A3C06175F; Fri, 5 Mar 2021 21:57:23 -0800 (PST) Received: by mail-lf1-x133.google.com with SMTP id 18so8779218lff.6; Fri, 05 Mar 2021 21:57:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=nwjJTyix+U1Kuczayf4pZyIBKt0xdJTJx53NO2UO06c=; b=Wh379e/7Ed68GiFHDd0MHYS8RReUXNt8l6QoYwJZ4ulllg/NPnLGjwBzSyCqVvwlNi TI1FTi3cgGzI0otAhZE7g7bngUVmwdm79W81CycG3OSP9KSiP9PLIzFVQ+9FcaDMvfBH pYdIlCH00pbwmJzU4zuUjIq4qUAd3j+OBP6XL77dph2tZDIhrsQBA1aRlVDEpEpC3fAx q9prNhsNZFr7qDLAB5kBvhAlqpHwCXKkMfazieoD8hq9bvH4DVBh/I5yNNxNkTI2MKtU lHEH1AJz6ClSYLOUfgY+T+ztE9j3owXH0Hhuc8Tvj+5Rs2L0dmCF4phS4+zEu/hNRhGo 15Qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=nwjJTyix+U1Kuczayf4pZyIBKt0xdJTJx53NO2UO06c=; b=tFw3d5TlPCCIKJIwevUw8tVaAnAv5PwYWTNRg2bz7vrmzk+kXixY5CGep5l7nN5vsf 0dNY9CxKrcwKytZzjoQ6FSkN7HPw17610dns7niwFEIkAaYGe5qi2F2nSLo1vgT8vLx0 Z31mdlVN+lNM8BiwvgqqyP8I4RinE5ook7Agg+M1ZClAq8ksAjbw9HXnzwCVSCwLtN2A LNrzyZ46TrnnGOKqhzLinqC1/j6iX9oKzXok7cHNXPYDt5prRb9EwKHu3nc7ZAyLP2WP xVgj/rSqsTjEuC5g/dtaUGZYAqukrS6R1XllcC/FwSU3sFoI8OPuP524bqGFtt79F/2H 5FUA== X-Gm-Message-State: AOAM530ndtPH3ckp75nhaBk8kA1cBXoZfLt97jwI5REj6ZzIYV5dVbO1 FUHZLHOBln6aJZ6YelZVGzE= X-Received: by 2002:a19:2402:: with SMTP id k2mr8327660lfk.138.1615010241497; Fri, 05 Mar 2021 21:57:21 -0800 (PST) Received: from [192.168.1.39] (88-114-223-25.elisa-laajakaista.fi. [88.114.223.25]) by smtp.gmail.com with ESMTPSA id o11sm555091lfu.157.2021.03.05.21.57.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 Mar 2021 21:57:20 -0800 (PST) Subject: Re: [PATCH v3] mm/vmalloc: randomize vmalloc() allocations To: Andrew Morton Cc: linux-hardening@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andy Lutomirski , Jann Horn , Kees Cook , Linux API , Matthew Wilcox , Mike Rapoport , Vlad Rezki , Cristiano Giuffrida References: <20210215202634.5121-1-toiwoton@gmail.com> <20210305171331.2424b166ed4d2d9da73ac335@linux-foundation.org> From: Topi Miettinen Message-ID: <124b32de-2422-615c-90fe-ca5a6d64d179@gmail.com> Date: Sat, 6 Mar 2021 07:57:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <20210305171331.2424b166ed4d2d9da73ac335@linux-foundation.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6.3.2021 3.13, Andrew Morton wrote: > On Mon, 15 Feb 2021 22:26:34 +0200 Topi Miettinen wrote: > >> Memory mappings inside kernel allocated with vmalloc() are in >> predictable order and packed tightly toward the low addresses, except >> for per-cpu areas which start from top of the vmalloc area. With >> new kernel boot parameter 'randomize_vmalloc=1', the entire area is >> used randomly to make the allocations less predictable and harder to >> guess for attackers. Also module and BPF code locations get randomized >> (within their dedicated and rather small area though) and if >> CONFIG_VMAP_STACK is enabled, also kernel thread stack locations. >> >> On 32 bit systems this may cause problems due to increased VM >> fragmentation if the address space gets crowded. >> >> On all systems, it will reduce performance and increase memory and >> cache usage due to less efficient use of page tables and inability to >> merge adjacent VMAs with compatible attributes. On x86_64 with 5 level >> page tables, in the worst case, additional page table entries of up to >> 4 pages are created for each mapping, so with small mappings there's >> considerable penalty. >> >> ... >> > > How useful is this expected to be? What sort of attack scenarios will > this help to defend against? Since there's a clear trade-off between best performance and additional address space randomization, this will not be useful for those who prefer performance. That's also why this is not the default but has to be enabled with a boot parameter. For those who are willing to pay the price for additional hardening, the purpose is to make attacks against KASLR (similar to TagBleed [1]) more difficult since the targeted memory locations may reside anywhere in the 32 TB vmalloc region and knowing one address does not reveal the others. [1] https://download.vusec.net/papers/tagbleed_eurosp20.pdf -Topi