| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jan 2021 13:24:04 +0200
From: Topi Miettinen <toiwoton@...il.com>
To: linux-hardening@...r.kernel.org, akpm@...ux-foundation.org,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Cc: Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>,
Matthew Wilcox <willy@...radead.org>,
Mike Rapoport <rppt@...nel.org>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH v9] mm: Optional full ASLR for mmap(), mremap(), vdso,
stack and heap
On 4.1.2021 17.53, Topi Miettinen wrote:
> Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
> enables full randomization of memory mappings. With 2, the base of the
> VMA used for such mappings is random, but the mappings are created in
> predictable places within the VMA and in sequential order. With 3, new
> VMAs are created to fully randomize the mappings.
>
> Mappings created with mmap(NULL, ...) are randomized and mremap(...,
> MREMAP_MAYMOVE) will move the mappings even if not necessary. The
> locations of heap (memory allocated with brk()), stack and vdso are
> also randomized.
It seems that always moving the mappings in mremap() can expose bugs
where the callers don't actually expect the mappings to move, even
though MREMAP_MAYMOVE is specified (Debian libapt-pkg6.0):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980037
Perhaps this part should be a separate option to avoid tripping such
bugs when compatibility is more important than improved ASLR and
debugging. The option could be also used without randomize_va_space==3.
How about something like sysctl.kernel.mremap_always_move,
sysctl.vm.mremap_always_move or CONFIG_MREMAP_ALWAYS_MOVE?
-Topi
Powered by blists - more mailing lists