lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ee152267-744d-b619-4400-35e3ddbac16a@gmail.com>
Date:   Wed, 13 Jan 2021 13:24:04 +0200
From:   Topi Miettinen <toiwoton@...il.com>
To:     linux-hardening@...r.kernel.org, akpm@...ux-foundation.org,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org
Cc:     Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>,
        Matthew Wilcox <willy@...radead.org>,
        Mike Rapoport <rppt@...nel.org>,
        Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH v9] mm: Optional full ASLR for mmap(), mremap(), vdso,
 stack and heap

On 4.1.2021 17.53, Topi Miettinen wrote:
> Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
> enables full randomization of memory mappings. With 2, the base of the
> VMA used for such mappings is random, but the mappings are created in
> predictable places within the VMA and in sequential order. With 3, new
> VMAs are created to fully randomize the mappings.
> 
> Mappings created with mmap(NULL, ...) are randomized and mremap(...,
> MREMAP_MAYMOVE) will move the mappings even if not necessary. The
> locations of heap (memory allocated with brk()), stack and vdso are
> also randomized.

It seems that always moving the mappings in mremap() can expose bugs 
where the callers don't actually expect the mappings to move, even 
though MREMAP_MAYMOVE is specified (Debian libapt-pkg6.0):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980037

Perhaps this part should be a separate option to avoid tripping such 
bugs when compatibility is more important than improved ASLR and 
debugging. The option could be also used without randomize_va_space==3. 
How about something like sysctl.kernel.mremap_always_move, 
sysctl.vm.mremap_always_move or CONFIG_MREMAP_ALWAYS_MOVE?

-Topi

Powered by blists - more mailing lists