| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180322135314.61efce938293e051e118fa46@linux-foundation.org>
Date: Thu, 22 Mar 2018 13:53:14 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Ilya Smith <blackzert@...il.com>
Cc: rth@...ddle.net, ink@...assic.park.msu.ru, mattst88@...il.com,
vgupta@...opsys.com, linux@...linux.org.uk, tony.luck@...el.com,
fenghua.yu@...el.com, jhogan@...nel.org, ralf@...ux-mips.org,
jejb@...isc-linux.org, deller@....de, benh@...nel.crashing.org,
paulus@...ba.org, mpe@...erman.id.au, schwidefsky@...ibm.com,
heiko.carstens@...ibm.com, ysato@...rs.sourceforge.jp,
dalias@...c.org, davem@...emloft.net, tglx@...utronix.de,
mingo@...hat.com, hpa@...or.com, x86@...nel.org,
nyc@...omorphy.com, viro@...iv.linux.org.uk, arnd@...db.de,
gregkh@...uxfoundation.org, deepa.kernel@...il.com,
mhocko@...e.com, hughd@...gle.com, kstewart@...uxfoundation.org,
pombredanne@...b.com, steve.capper@....com, punit.agrawal@....com,
paul.burton@...s.com, aneesh.kumar@...ux.vnet.ibm.com,
npiggin@...il.com, keescook@...omium.org, bhsharma@...hat.com,
riel@...hat.com, nitin.m.gupta@...cle.com,
kirill.shutemov@...ux.intel.com, dan.j.williams@...el.com,
jack@...e.cz, ross.zwisler@...ux.intel.com, jglisse@...hat.com,
willy@...radead.org, aarcange@...hat.com, oleg@...hat.com,
linux-alpha@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-snps-arc@...ts.infradead.org,
linux-arm-kernel@...ts.infradead.org, linux-ia64@...r.kernel.org,
linux-metag@...r.kernel.org, linux-mips@...ux-mips.org,
linux-parisc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-s390@...r.kernel.org, linux-sh@...r.kernel.org,
sparclinux@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [RFC PATCH v2 1/2] Randomization of address chosen by mmap.
On Thu, 22 Mar 2018 19:36:37 +0300 Ilya Smith <blackzert@...il.com> wrote:
> include/linux/mm.h | 16 ++++--
> mm/mmap.c | 164 +++++++++++++++++++++++++++++++++++++++++++++++++++++
You'll be wanting to update the documentation.
Documentation/sysctl/kernel.txt and
Documentation/admin-guide/kernel-parameters.txt.
> ...
>
> @@ -2268,6 +2276,9 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
> static inline unsigned long
> vm_unmapped_area(struct vm_unmapped_area_info *info)
> {
> + /* How about 32 bit process?? */
> + if ((current->flags & PF_RANDOMIZE) && randomize_va_space > 3)
> + return unmapped_area_random(info);
The handling of randomize_va_space is peculiar. Rather than being a
bitfield which independently selects different modes, it is treated as
a scalar: the larger the value, the more stuff we randomize.
I can see the sense in that (and I wonder what randomize_va_space=5
will do). But it is... odd.
Why did you select randomize_va_space=4 for this? Is there a mode 3
already and we forgot to document it? Or did you leave a gap for
something? If the former, please feel free to fix the documentation
(in a separate, preceding patch) while you're in there ;)
> if (info->flags & VM_UNMAPPED_AREA_TOPDOWN)
> return unmapped_area_topdown(info);
> else
> @@ -2529,11 +2540,6 @@ int drop_caches_sysctl_handler(struct ctl_table *, int,
> void drop_slab(void);
> void drop_slab_node(int nid);
>
>
> ...
>
> @@ -1780,6 +1781,169 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
> return error;
> }
>
> +unsigned long unmapped_area_random(struct vm_unmapped_area_info *info)
> +{
This function is just dead code if CONFIG_MMU=n, yes? Let's add the
ifdefs to make it go away in that case.
> + struct mm_struct *mm = current->mm;
> + struct vm_area_struct *vma = NULL;
> + struct vm_area_struct *visited_vma = NULL;
> + unsigned long entropy[2];
> + unsigned long length, low_limit, high_limit, gap_start, gap_end;
> + unsigned long addr = 0;
> +
> + /* get entropy with prng */
> + prandom_bytes(&entropy, sizeof(entropy));
> + /* small hack to prevent EPERM result */
> + info->low_limit = max(info->low_limit, mmap_min_addr);
> +
>
> ...
>
> +found:
> + /* We found a suitable gap. Clip it with the original high_limit. */
> + if (gap_end > info->high_limit)
> + gap_end = info->high_limit;
> + gap_end -= info->length;
> + gap_end -= (gap_end - info->align_offset) & info->align_mask;
> + /* only one suitable page */
> + if (gap_end == gap_start)
> + return gap_start;
> + addr = entropy[1] % (min((gap_end - gap_start) >> PAGE_SHIFT,
> + 0x10000UL));
What does the magic 10000 mean? Isn't a comment needed explaining this?
> + addr = gap_end - (addr << PAGE_SHIFT);
> + addr += (info->align_offset - addr) & info->align_mask;
> + return addr;
> +}
>
> ...
>
Powered by blists - more mailing lists