From: Thomas Garnier Subject: Re: x86: PIE support and option to extend KASLR randomization Date: Mon, 2 Oct 2017 13:28:52 -0700 Message-ID: References: <20170817080920.5ljlkktngw2cisfg@gmail.com> <20170825080443.tvvr6wzs362cjcuu@gmail.com> <20170921155919.skpyt7dutod5ul4t@gmail.com> <20170922163225.bfrd5myl6d7deiim@gmail.com> <20170923094312.td3mrfos6konic6g@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: Herbert Xu , "David S . Miller" , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Peter Zijlstra , Josh Poimboeuf , Arnd Bergmann , Matthias Kaehlcke , Boris Ostrovsky , Juergen Gross , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Joerg Roedel , Tom Lendacky , Andy Lutomirski , Borislav Petkov , Brian Gerst , "Kirill A . Shutemov" , "Rafael J . Wysocki" , Len Brown , Pavel Machek , Tejun Heo , Christoph La To: Ingo Molnar Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: <20170923094312.td3mrfos6konic6g@gmail.com> List-Id: linux-crypto.vger.kernel.org On Sat, Sep 23, 2017 at 2:43 AM, Ingo Molnar wrote: > > * Thomas Garnier wrote: > >> > 2) we first implement the additional entropy bits that Linus suggested. >> > >> > does this work for you? >> >> Sure, I can look at how feasible that is. If it is, can I send >> everything as part of the same patch set? The additional entropy would >> be enabled for all KASLR but PIE will be off-by-default of course. > > Sure, can all be part of the same series. I looked deeper in the change Linus proposed (moving the .text section based on the cacheline). I think the complexity is too high for the value of this change. To move only the .text section would require at least the following changes: - Overall change on how relocations are processed, need to separate relocations in and outside of the .text section. - Break assumptions on _text alignment while keeping calculation on size accurate (for example _end - _text). With a rough attempt at this, I managed to pass early boot and still crash later on. This change would be valuable if you leak the address of a section other than .text and you want to know where .text is. Meaning the main bug that you are trying to exploit only allow you to execute code (and you are trying to ROP in .text). I would argue that a better mitigation for this type of bugs is moving function pointer to read-only sections and using stack cookies (for ret address). This change won't prevent other type of attacks, like data corruption. I think it would be more valuable to look at something like selfrando / pagerando [1] but maybe wait a bit for it to be more mature (especially on the debugging side). What do you think? [1] http://lists.llvm.org/pipermail/llvm-dev/2017-June/113794.html > > Thanks, > > Ingo -- Thomas