[v6,4/4] x86: mm: support ARCH_MMAP_RND_BITS.

Commit Message

Daniel Cashman Dec. 11, 2015, 5:52 p.m. UTC

From: dcashman <dcashman@google.com>

x86: arch_mmap_rnd() uses hard-coded values, 8 for 32-bit and 28 for
64-bit, to generate the random offset for the mmap base address.
This value represents a compromise between increased ASLR
effectiveness and avoiding address-space fragmentation. Replace it
with a Kconfig option, which is sensibly bounded, so that platform
developers may choose where to place this compromise. Keep default
values as new minimums.

Signed-off-by: Daniel Cashman <dcashman@android.com>
---
 arch/x86/Kconfig   | 16 ++++++++++++++++
 arch/x86/mm/mmap.c | 12 ++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

Comments

H. Peter Anvin Dec. 14, 2015, 6:58 p.m. UTC | #1

On 12/11/15 09:52, Daniel Cashman wrote:
> From: dcashman <dcashman@google.com>
> 
> x86: arch_mmap_rnd() uses hard-coded values, 8 for 32-bit and 28 for
> 64-bit, to generate the random offset for the mmap base address.
> This value represents a compromise between increased ASLR
> effectiveness and avoiding address-space fragmentation. Replace it
> with a Kconfig option, which is sensibly bounded, so that platform
> developers may choose where to place this compromise. Keep default
> values as new minimums.
> 
> Signed-off-by: Daniel Cashman <dcashman@android.com>

OK, this is around the time when I make a lecture about the danger of
expecting the compiler to make certain transformations:

> diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
> index 844b06d..647fecf 100644
> --- a/arch/x86/mm/mmap.c
> +++ b/arch/x86/mm/mmap.c
> @@ -69,14 +69,14 @@ unsigned long arch_mmap_rnd(void)
>  {
>  	unsigned long rnd;
>  
> -	/*
> -	 *  8 bits of randomness in 32bit mmaps, 20 address space bits
> -	 * 28 bits of randomness in 64bit mmaps, 40 address space bits
> -	 */
>  	if (mmap_is_ia32())
> -		rnd = (unsigned long)get_random_int() % (1<<8);
> +#ifdef CONFIG_COMPAT
> +		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
> +#else
> +		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
> +#endif
>  	else
> -		rnd = (unsigned long)get_random_int() % (1<<28);
> +		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>  
>  	return rnd << PAGE_SHIFT;
>  }
> 

Now, you and I know that both variants can be implemented with a simple
AND, but I have a strong suspicion that once this is turned into a
variable, this will in fact be changed from an AND to a divide.

So I'd prefer to use the
"get_random_int() & ((1UL << mmap_rnd_bits) - 1)" construct instead.

	-hpa

Daniel Cashman Dec. 14, 2015, 8:51 p.m. UTC | #2

On 12/14/2015 10:58 AM, H. Peter Anvin wrote:
> On 12/11/15 09:52, Daniel Cashman wrote:
>> diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
>> index 844b06d..647fecf 100644
>> --- a/arch/x86/mm/mmap.c
>> +++ b/arch/x86/mm/mmap.c
>> @@ -69,14 +69,14 @@ unsigned long arch_mmap_rnd(void)
>>  {
>>  	unsigned long rnd;
>>  
>> -	/*
>> -	 *  8 bits of randomness in 32bit mmaps, 20 address space bits
>> -	 * 28 bits of randomness in 64bit mmaps, 40 address space bits
>> -	 */
>>  	if (mmap_is_ia32())
>> -		rnd = (unsigned long)get_random_int() % (1<<8);
>> +#ifdef CONFIG_COMPAT
>> +		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
>> +#else
>> +		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>> +#endif
>>  	else
>> -		rnd = (unsigned long)get_random_int() % (1<<28);
>> +		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
>>  
>>  	return rnd << PAGE_SHIFT;
>>  }
>>
> 
> Now, you and I know that both variants can be implemented with a simple
> AND, but I have a strong suspicion that once this is turned into a
> variable, this will in fact be changed from an AND to a divide.
> 
> So I'd prefer to use the
> "get_random_int() & ((1UL << mmap_rnd_bits) - 1)" construct instead.

Good point.  Will change in v7 across patch-set.

Thank You,
Dan

Patch

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index db3622f..bdc67d2 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -82,6 +82,8 @@  config X86
 	select HAVE_ARCH_KASAN			if X86_64 && SPARSEMEM_VMEMMAP
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_KMEMCHECK
+	select HAVE_ARCH_MMAP_RND_BITS		if MMU
+	select HAVE_ARCH_MMAP_RND_COMPAT_BITS	if MMU && COMPAT
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_SOFT_DIRTY		if X86_64
 	select HAVE_ARCH_TRACEHOOK
@@ -183,6 +185,20 @@  config HAVE_LATENCYTOP_SUPPORT
 config MMU
 	def_bool y
 
+config ARCH_MMAP_RND_BITS_MIN
+       default 28 if 64BIT
+       default 8
+
+config ARCH_MMAP_RND_BITS_MAX
+	default 32 if 64BIT
+	default 16
+
+config ARCH_MMAP_RND_COMPAT_BITS_MIN
+	default 8
+
+config ARCH_MMAP_RND_COMPAT_BITS_MAX
+	default 16
+
 config SBUS
 	bool
 
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 844b06d..647fecf 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -69,14 +69,14 @@  unsigned long arch_mmap_rnd(void)
 {
 	unsigned long rnd;
 
-	/*
-	 *  8 bits of randomness in 32bit mmaps, 20 address space bits
-	 * 28 bits of randomness in 64bit mmaps, 40 address space bits
-	 */
 	if (mmap_is_ia32())
-		rnd = (unsigned long)get_random_int() % (1<<8);
+#ifdef CONFIG_COMPAT
+		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_compat_bits);
+#else
+		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
+#endif
 	else
-		rnd = (unsigned long)get_random_int() % (1<<28);
+		rnd = (unsigned long)get_random_int() % (1 << mmap_rnd_bits);
 
 	return rnd << PAGE_SHIFT;
 }