| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Apr 2014 11:13:46 -0700 From: Kees Cook <keescook@...gle.com> To: Andy Lutomirski <luto@...capital.net> Cc: Nathan Lynch <Nathan_Lynch@...tor.com>, "H. Peter Anvin" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: randomized placement of x86_64 vdso On Wed, Apr 30, 2014 at 10:52 AM, Andy Lutomirski <luto@...capital.net> wrote: > On Wed, Apr 30, 2014 at 10:47 AM, Kees Cook <keescook@...gle.com> wrote: >> On Wed, Apr 23, 2014 at 10:06 AM, Nathan Lynch <Nathan_Lynch@...tor.com> wrote: >>> On 04/23/2014 11:30 AM, H. Peter Anvin wrote: >>>> On 04/21/2014 09:52 AM, Nathan Lynch wrote: >>>>> Hi x86/vdso people, >>>>> >>>>> I've been working on adding a vDSO to 32-bit ARM, and Kees suggested I >>>>> look at x86_64's algorithm for placing the vDSO at a randomized offset >>>>> above the stack VMA. I found that when the stack top occupies the >>>>> last slot in the PTE (is that the right term?), the vdso_addr routine >>>>> returns an address below mm->start_stack, equivalent to >>>>> (mm->start_stack & PAGE_MASK). For instance if mm->start_stack is >>>>> 0x7fff3ffffc96, vdso_addr returns 0x7fff3ffff000. >>>>> >>>>> Since the address returned is always already occupied by the stack, >>>>> get_unmapped_area detects the collision and falls back to >>>>> vm_unmapped_area. This results in the vdso being placed in the >>>>> address space next to libraries etc. While this is generally >>>>> unnoticeable and doesn't break anything, it does mean that the vdso is >>>>> placed below the stack when there is actually room above the stack. >>>>> To me it also seems uncomfortably close to placing the vdso in the way >>>>> of downward expansion of the stack. >>>>> >>>>> I don't have a patch because I'm not sure what the algorithm should >>>>> be, but thought I would bring it up as vdso_addr doesn't seem to be >>>>> behaving as intended in all cases. >>>>> >>>> >>>> If the stack occupies the last possible page, how can you say there is >>>> "space above the stack"? >>> >>> Sorry for being unclear. I probably am getting terminology wrong. What >>> I'm trying to express is that if the stack top is in the last page of >>> its last-level page table (which may be the last possible page, but >>> that's not really the interesting case), vdso_addr returns an address >>> below mm->start_stack. >> >> It seems like this is avoidable, then? From your example, it seems >> like we lose the separated randomization in this case, but we don't >> need to? Do you have a suggestion for what could be done to fix this? > > I don't understand why the vDSO should be special here. Either the > standard logic for randomizing the placement of DSOs is good, in which > case it should be good for the vDSO too, or I think we should fix it > for everything. The issue is specific to the vdso randomizing-near-the-stack code; regular mmap randomization is operating correctly. The reason for randomizing stack, vdso, and mmap separately is to avoid correlation of leaked offsets in one to the other regions. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists