lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5jJKtdgRzdiDhA7XBcsaLQhmFgyQahk1F-zscFQY3pNBUQ@mail.gmail.com>
Date:   Mon, 26 Jun 2017 11:26:59 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Michael Ellerman <mpe@...erman.id.au>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Russell King <linux@...linux.org.uk>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will.deacon@....com>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Paul Mackerras <paulus@...ba.org>,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        James Hogan <james.hogan@...tec.com>,
        Pratyush Anand <panand@...hat.com>,
        Ingo Molnar <mingo@...nel.org>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
        "linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-arch <linux-arch@...r.kernel.org>,
        "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 3/4] powerpc: Reduce ELF_ET_DYN_BASE

On Mon, Jun 26, 2017 at 6:04 AM, Michael Ellerman <mpe@...erman.id.au> wrote:
> Kees Cook <keescook@...omium.org> writes:
>
>> On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman <mpe@...erman.id.au> wrote:
>>> Kees Cook <keescook@...omium.org> writes:
>>>
>>>> Now that explicitly executed loaders are loaded in the mmap region,
>>>> position PIE binaries lower in the address space to avoid possible
>>>> collisions with mmap or stack regions. For 64-bit, align to 4GB to
>>>> allow runtimes to use the entire 32-bit address space for 32-bit
>>>> pointers.
>>>
>>> The change log and subject are a bit out of whack with the actual patch
>>> because previously we used 512MB.
>>>
>>> How about?
>>>
>>>   powerpc: Move ELF_ET_DYN_BASE to 4GB / 4MB
>>>
>>>   Now that explicitly executed loaders are loaded in the mmap region,
>>>   we have more freedom to decide where we position PIE binaries in the
>>>   address space to avoid possible collisions with mmap or stack regions.
>>>
>>>   For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
>>>   address space for 32-bit pointers. On 32-bit use 4MB.
>>
>> Good idea, thanks. I'll resend the series with the commit logs updated.
>>
>>> Is there any particular reasoning behind the 4MB value on 32-bit?
>>
>> So, I've dug around a bit on this, and I *think* the rationale is to
>> avoid mapping a possible 4MB page table entry when it won't be using
>> at least a portion near the lower end (NULL address area covered
>> blocked by mmap_min_addr). It seems to be mainly tradition, though.
>
> OK, that is obscure, especially for CPUs that don't have a 4MB page
> size. But consistency across arches is probably best regardless.

Yeah, I like being not "close" to the NULL address, though the
definition of "close" has been various values like 64K (mmap_min_addr)
and 1M (x86 BIOS junk and new stack-gap size). 4MB is above even that,
so, I think we're fine there. It's what Windows has used, so it's
familiar and any new attack methodologies would at least be shared
across OSes and architectures, so we should "notice" any problem with
the value, and then we can adjust it if we need to.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ