lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 10 Dec 2020 21:58:33 +0200
From:   Topi Miettinen <>
To:     Mike Rapoport <>
        Andy Lutomirski <>,
        Jann Horn <>,
        Kees Cook <>,
        Linux API <>,
        Matthew Wilcox <>
Subject: Re: [PATCH] mm/vmalloc: randomize vmalloc() allocations

On 3.12.2020 8.58, Mike Rapoport wrote:
> On Wed, Dec 02, 2020 at 08:49:06PM +0200, Topi Miettinen wrote:
>> On 1.12.2020 23.45, Topi Miettinen wrote:
>>> Memory mappings inside kernel allocated with vmalloc() are in
>>> predictable order and packed tightly toward the low addresses. With
>>> new kernel boot parameter 'randomize_vmalloc=1', the entire area is
>>> used randomly to make the allocations less predictable and harder to
>>> guess for attackers.
>> This also seems to randomize module addresses. I was going to check that
>> next, so nice surprise!
> Heh, that's because module_alloc() uses vmalloc() in that way or another :)

I got a bit further with really using vmalloc with 
[VMALLOC_START..VMALLOC_END] for modules, but then inserting a module 
fails because of the relocations:
[    9.202856] module: overflow in relocation type 11 val ffffe1950e27f080

Type 11 is R_X86_64_32S expecting a 32 bits signed offset, so the loader 
obviously can't fit the relocation from the highest 2GB to somewhere 32 
TB lower.

The problem seems to be that the modules aren't really built as 
position-independent shared objects with -fPIE/-fPIC, but instead 
there's explicit -fno-PIE. I guess the modules also shouldn't use 
-mcmodel=kernel. Though tweaking the flags shows that some combinations 
aren't well supported (like ’-mindirect-branch=thunk-extern’ and 
‘-mcmodel=large’ are not compatible) and the handwritten assembly code 
also assumes 32 bit offsets.

A different approach could be to make the entire kernel relocatable to 
lower addresses and then the modules could stay close nearby. I guess 
the asm files aren't written with position independence in mind either.

But it seems that I'm finding and breaking lots of assumptions built in 
to the system. What's the experts' opinion, is full module/kernel 
randomization ever going to fly?


Powered by blists - more mailing lists