| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160617084751.GB4791@gmail.com>
Date: Fri, 17 Jun 2016 10:47:51 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Kees Cook <keescook@...omium.org>
Cc: Yinghai Lu <yinghai@...nel.org>, Borislav Petkov <bp@...e.de>,
Baoquan He <bhe@...hat.com>, "H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"x86@...nel.org" <x86@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
"H.J. Lu" <hjl.tools@...il.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v9 5/5] x86/KASLR: Allow randomization below load address
* Kees Cook <keescook@...omium.org> wrote:
> From: Yinghai Lu <yinghai@...nel.org>
>
> Currently the physical randomization's lower boundary is the original
> kernel load address. For bootloaders that load kernels into very high
> memory (e.g. kexec), this means randomization takes place in a very small
> window at the top of memory, ignoring the large region of physical memory
> below the load address.
>
> Since mem_avoid is already correctly tracking the regions that must be
> avoided, this patch changes the minimum address to whatever is less:
> 512M (to conservatively avoid unknown things in lower memory) or the
> load address. Now, for example, if the kernel is loaded at 8G, [512M,
> 8G) will be added into possible physical memory positions.
>
> Signed-off-by: Yinghai Lu <yinghai@...nel.org>
> [kees: rewrote changelog, refactor to use min()]
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> arch/x86/boot/compressed/kaslr.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index d0a823df183b..304c5c369aff 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -492,7 +492,7 @@ void choose_random_location(unsigned long input,
> unsigned long output_size,
> unsigned long *virt_addr)
> {
> - unsigned long random_addr;
> + unsigned long random_addr, min_addr;
>
> /* By default, keep output position unchanged. */
> *virt_addr = *output;
> @@ -517,8 +517,11 @@ void choose_random_location(unsigned long input,
> /* Record the various known unsafe memory ranges. */
> mem_avoid_init(input, input_size, *output);
>
> + /* Low end should be the smaller of 512M or initial location. */
> + min_addr = min(*output, 512UL << 20);
> +
> /* Walk e820 and find a random address. */
> - random_addr = find_random_phys_addr(*output, output_size);
> + random_addr = find_random_phys_addr(min_addr, output_size);
> if (!random_addr) {
> warn("KASLR disabled: could not find suitable E820 region!");
> } else {
There's no explanation in the code or in the changelog of why 512M was picked as
the lower limit.
Thanks,
Ingo
Powered by blists - more mailing lists