lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <ddfe379a-915b-fca8-d191-e60e059e2dae@gmail.com> Date: Wed, 2 Dec 2020 23:28:52 +0200 From: Topi Miettinen <toiwoton@...il.com> To: Matthew Wilcox <willy@...radead.org> Cc: linux-hardening@...r.kernel.org, akpm@...ux-foundation.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org, Andy Lutomirski <luto@...nel.org>, Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>, Linux API <linux-api@...r.kernel.org>, Mike Rapoport <rppt@...nel.org> Subject: Re: [PATCH] mm/vmalloc: randomize vmalloc() allocations On 2.12.2020 20.53, Matthew Wilcox wrote: > On Tue, Dec 01, 2020 at 11:45:47PM +0200, Topi Miettinen wrote: >> + /* Randomize allocation */ >> + if (randomize_vmalloc) { >> + voffset = get_random_long() & (roundup_pow_of_two(vend - vstart) - 1); >> + voffset = PAGE_ALIGN(voffset); >> + if (voffset + size > vend - vstart) >> + voffset = vend - vstart - size; >> + } else >> + voffset = 0; >> + >> /* >> * If an allocation fails, the "vend" address is >> * returned. Therefore trigger the overflow path. >> */ >> - addr = __alloc_vmap_area(size, align, vstart, vend); >> + addr = __alloc_vmap_area(size, align, vstart + voffset, vend); >> spin_unlock(&free_vmap_area_lock); > > What if there isn't any free address space between vstart+voffset and > vend, but there is free address space between vstart and voffset? > Seems like we should add: > > addr = __alloc_vmap_area(size, align, vstart + voffset, vend); > + if (!addr) > + addr = __alloc_vmap_area(size, align, vstart, vend); > spin_unlock(&free_vmap_area_lock); > How about: addr = __alloc_vmap_area(size, align, vstart + voffset, vend); + if (!addr) + addr = __alloc_vmap_area(size, align, vstart, vstart + voffset + size); spin_unlock(&free_vmap_area_lock); That way the search would not be redone for the area that was already checked and rejected. Perhaps my previous patch for mmap() etc. randomization could also search towards higher addresses instead of trying random addresses five times in case of clashes. -Topi
Powered by blists - more mailing lists