lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202009260933.C603CD8@keescook>
Date:   Sat, 26 Sep 2020 09:40:43 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Pintu Agarwal <pintu.ping@...il.com>
Cc:     Ard Biesheuvel <ardb@...nel.org>,
        Mark Rutland <mark.rutland@....com>,
        Arnd Bergmann <arnd@...db.de>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Marc Zyngier <marc.zyngier@....com>,
        Dave Martin <dave.martin@....com>,
        Kernelnewbies <kernelnewbies@...nelnewbies.org>,
        Russell King - ARM Linux <linux@...linux.org.uk>,
        open list <linux-kernel@...r.kernel.org>,
        Tony Lindgren <tony@...mide.com>, matt@...eblueprint.co.uk,
        nico@...aro.org, Thomas Garnier <thgarnie@...gle.com>,
        "moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE" 
        <linux-arm-kernel@...ts.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14

On Sat, Sep 26, 2020 at 01:28:02PM +0530, Pintu Agarwal wrote:
> On Sat, 26 Sep 2020 at 05:17, Kees Cook <keescook@...omium.org> wrote:
> > >
> > > For a 3/1 split ARM kernel of the typical size, all kernel virtual
> > > addresses start with 0xc0, and given that the kernel is located at the
> > > start of the linear map, those addresses cannot change even if you
> > > move the kernel around in physical memory.
> >
> > I wonder if this is an Android Common kernel? I think there was %p
> > hashing in there before v4.15, but with a different implementation...
> >
> 
> Hi,
> Thank you all for all your reply and comments so far!
> Here are some follow-up replies.
> 
> >> What device is this? Is it a stock kernel?
> This is a Qualcomm Snapdragon Automotive board one with Linux Kernel
> 4.9 and one with 4.14.
> 
> >> Is the boot loader changing the base address? (What boot loader are you
> >> using?)
> Ohh I did not knew that the bootloader can also change the base address.
> I think it uses UEFI.
> How to check if bootloader is doing this ?
> BTW, both 4.9 board and 4.14 board, uses same bootloader.
> 
> >> I wonder if this is an Android Common kernel?
> It uses the below kernel for 4.14:
> https://gitlab.com/quicla/kernel/msm-4.14/-/tree/LE.UM.3.4.2.r1.5  (or
> similar branch).

Okay, so yes. And this appears to have the hashing of %p backported. I
cannot, however, explain why it's showing hashed pointers instead of
just NULL, though.

It might be related to these commits but they're not in that kernel:
3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
7bd57fbc4a4d ("vsprintf: don't obfuscate NULL and error pointers")

> ==> The case where symbol addresses are changing.
> 
> kptr_restrict is set to 2 by default:
> / # cat /proc/sys/kernel/kptr_restrict
> 2
> 
> Basically, the goal is:
> * To understand how addresses are changing in 4.14 Kernel (without
> KASLR support)?
> * Is it possible to support the same in 4.9 Kernel ?

Try setting kptr_restrict to 0 and see if the symbol addresses change? I
suspect Ard is correct: there's no KASLR here, just hashed pointers
behaving weird on an old non-stock kernel. :)

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ