| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180305162343.GA8230@bombadil.infradead.org>
Date: Mon, 5 Mar 2018 08:23:43 -0800
From: Matthew Wilcox <willy@...radead.org>
To: Ilya Smith <blackzert@...il.com>
Cc: Daniel Micay <danielmicay@...il.com>,
Kees Cook <keescook@...omium.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Dan Williams <dan.j.williams@...el.com>,
Michal Hocko <mhocko@...e.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Jan Kara <jack@...e.cz>, Jerome Glisse <jglisse@...hat.com>,
Hugh Dickins <hughd@...gle.com>, Helge Deller <deller@....de>,
Andrea Arcangeli <aarcange@...hat.com>,
Oleg Nesterov <oleg@...hat.com>, Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
On Mon, Mar 05, 2018 at 04:09:31PM +0300, Ilya Smith wrote:
> > On 4 Mar 2018, at 23:56, Matthew Wilcox <willy@...radead.org> wrote:
> > Thinking about this more ...
> >
> > - When you call munmap, if you pass in the same (addr, length) that were
> > used for mmap, then it should unmap the guard pages as well (that
> > wasn't part of the patch, so it would have to be added)
> > - If 'addr' is higher than the mapped address, and length at least
> > reaches the end of the mapping, then I would expect the guard pages to
> > "move down" and be after the end of the newly-shortened mapping.
> > - If 'addr' is higher than the mapped address, and the length doesn't
> > reach the end of the old mapping, we split the old mapping into two.
> > I would expect the guard pages to apply to both mappings, insofar as
> > they'll fit. For an example, suppose we have a five-page mapping with
> > two guard pages (MMMMMGG), and then we unmap the fourth page. Now we
> > have a three-page mapping with one guard page followed immediately
> > by a one-page mapping with two guard pages (MMMGMGG).
>
> I’m analysing that approach and see much more problems:
> - each time you call mmap like this, you still increase count of vmas as my
> patch did
Umm ... yes, each time you call mmap, you get a VMA. I'm not sure why
that's a problem with my patch. I was trying to solve the problem Daniel
pointed out, that mapping a guard region after each mmap cost twice as
many VMAs, and it solves that problem.
> - now feature vma_merge shouldn’t work at all, until MAP_FIXED is set or
> PROT_GUARD(0)
That's true.
> - the entropy you provide is like 16 bit, that is really not so hard to brute
It's 16 bits per mapping. I think that'll make enough attacks harder
to be worthwhile.
> - in your patch you don’t use vm_guard at address searching, I see many roots
> of bugs here
Don't need to. vm_end includes the guard pages.
> - if you unmap/remap one page inside region, field vma_guard will show head
> or tail pages for vma, not both; kernel don’t know how to handle it
There are no head pages. The guard pages are only placed after the real end.
> - user mode now choose entropy with PROT_GUARD macro, where did he gets it?
> User mode shouldn’t be responsible for entropy at all
I can't agree with that. The user has plenty of opportunities to get
randomness; from /dev/random is the easiest, but you could also do timing
attacks on your own cachelines, for example.
Powered by blists - more mailing lists