[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jKaW=H1WWuW_M4LpfcGGUWE3yvsiMnzMiAbeta__YpSJg@mail.gmail.com>
Date: Tue, 24 Nov 2015 16:47:37 -0800
From: Kees Cook <keescook@...omium.org>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Daniel Cashman <dcashman@...roid.com>,
LKML <linux-kernel@...r.kernel.org>,
Russell King - ARM Linux <linux@....linux.org.uk>,
Ingo Molnar <mingo@...nel.org>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
Jonathan Corbet <corbet@....net>,
Don Zickus <dzickus@...hat.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Heinrich Schuchardt <xypron.glpk@....de>, jpoimboe@...hat.com,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
n-horiguchi@...jp.nec.com, Andrea Arcangeli <aarcange@...hat.com>,
Mel Gorman <mgorman@...e.de>,
Thomas Gleixner <tglx@...utronix.de>,
David Rientjes <rientjes@...gle.com>,
Linux-MM <linux-mm@...ck.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
Mark Salyzyn <salyzyn@...roid.com>,
Jeffrey Vander Stoep <jeffv@...gle.com>,
Nick Kralevich <nnk@...gle.com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
"H. Peter Anvin" <hpa@...or.com>,
"x86@...nel.org" <x86@...nel.org>, Hector Marco <hecmargi@....es>,
Borislav Petkov <bp@...e.de>,
Daniel Cashman <dcashman@...gle.com>
Subject: Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.
On Tue, Nov 24, 2015 at 4:40 PM, Andrew Morton
<akpm@...ux-foundation.org> wrote:
> On Wed, 18 Nov 2015 15:20:05 -0800 Daniel Cashman <dcashman@...roid.com> wrote:
>
>> --- a/kernel/sysctl.c
>> +++ b/kernel/sysctl.c
>> @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
>> .mode = 0644,
>> .proc_handler = proc_doulongvec_minmax,
>> },
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> + {
>> + .procname = "mmap_rnd_bits",
>> + .data = &mmap_rnd_bits,
>> + .maxlen = sizeof(mmap_rnd_bits),
>> + .mode = 0644,
>
> Is there any harm in permitting the attacker to read these values?
>
> And is there any benefit in permitting non-attackers to read them?
I'm on the fence. Things like kernel/randomize_va_space is 644. But
since I don't see a benefit in exposing them, let's make them all 600
instead -- it's a new interface, better to keep it narrower now.
>
>> + .proc_handler = proc_dointvec_minmax,
>> + .extra1 = &mmap_rnd_bits_min,
>> + .extra2 = &mmap_rnd_bits_max,
>> + },
>> +#endif
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
>> + {
>> + .procname = "mmap_rnd_compat_bits",
>> + .data = &mmap_rnd_compat_bits,
>> + .maxlen = sizeof(mmap_rnd_compat_bits),
>> + .mode = 0644,
>> + .proc_handler = proc_dointvec_minmax,
>> + .extra1 = &mmap_rnd_compat_bits_min,
>> + .extra2 = &mmap_rnd_compat_bits_max,
>> + },
>> +#endif
>>
>> ...
>>
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> +int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
>> +int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
>> +int mmap_rnd_bits = CONFIG_ARCH_MMAP_RND_BITS;
>> +#endif
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
>> +int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
>> +int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
>> +int mmap_rnd_compat_bits = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
>
> These could be __read_mostly.
>
> If one believes in such things. One effect of __read_mostly is to
> clump the write-often stuff into the same cachelines and I've never
> been convinced that one outweighs the other...
The _min and _max values should be const, actually, since they're
build-time selected. The _bits could easily be __read_mostly, yeah.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists