lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ede9pula.fsf@oldenburg.str.redhat.com>
Date: Mon, 22 Jan 2024 10:48:17 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Matthew Wilcox <willy@...radead.org>
Cc: mail@...otw.com,  linux-hardening@...r.kernel.org,  Jakub Wilk
 <jwilk@...lk.net>,  Salvatore Bonaccorso <carnil@...ian.org>,  Linux
 Memory Management List <linux-mm@...ck.org>,  William Kucharski
 <william.kucharski@...cle.com>
Subject: Re: Limited/Broken functionality of ASLR for Libs >= 2MB

* Matthew Wilcox:

> I received a suggestion off-list that we only do the PMD alignment on
> 64-bit, which seems quite reasonable to me.  After all, I don't care
> about performance on 32-bit just as much as I don't care about security
> on 32-bit.

Perhaps we can we repurpose MAP_DENYWRITE to disable this?

For shared objects as loaded by a dynamic linker, the alignment is
pointless in many cases even if the original mapping is quite a bit
larger than 2 MiB because the individual LOAD segments and their
protection settings are smaller than 2 MiB, so hugepages cannot be used
in the end after all.  The dynamic linker knows the LOAD segments, so it
can drop MAP_DENYWRITE if it determines that hugepages could be
beneficial.  (Current glibc sets MAP_DENYWRITE for historic reasons.)
On the other hand, I wouldn't object to more explicit control over mmap
pointer alignment, either, for anonymous mappings as well.

There are some binutils versions that produce 2 MiB aligned file layout
on x86-64, but that change was reverted, presumably because kernel
hugepage support for non-anonymous memory wasn't available.  But there
are likely some iffy details that make these binaries unusable for
hugepages in practice, like lack of hugepage alignment at the end of
LOAD segments.  Unfortunately, BFD ld tends to produce approximate
PT_LOAD and PT_GNU_RELRO and relies on the dynamic loader to round
things up and down in somewhat questionable ways.

Thanks,
Florian


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ