From patchwork Thu Apr 10 20:59:02 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nathan Lynch <nathan_lynch@mentor.com>
X-Patchwork-Id: 3964871
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id DA853BFF02
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 10 Apr 2014 21:00:01 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 709E620807
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 10 Apr 2014 20:59:59 +0000 (UTC)
Received: from casper.infradead.org (casper.infradead.org [85.118.1.10])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 58D5D20804
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Thu, 10 Apr 2014 20:59:58 +0000 (UTC)
Received: from merlin.infradead.org ([2001:4978:20e::2])
	by casper.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WYM4d-0003FO-CC; Thu, 10 Apr 2014 20:59:51 +0000
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WYM4b-0006nT-7D; Thu, 10 Apr 2014 20:59:49 +0000
Received: from bombadil.infradead.org ([2001:1868:205::9])
	by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WYM4O-0006nM-1v for linux-arm-kernel@merlin.infradead.org;
	Thu, 10 Apr 2014 20:59:36 +0000
Received: from relay1.mentorg.com ([192.94.38.131])
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WYM4M-0005Wm-F1 for linux-arm-kernel@lists.infradead.org;
	Thu, 10 Apr 2014 20:59:35 +0000
Received: from svr-orw-fem-01.mgc.mentorg.com ([147.34.98.93])
	by relay1.mentorg.com with esmtp
	id 1WYM3t-0000IY-0i from Nathan_Lynch@mentor.com ;
	Thu, 10 Apr 2014 13:59:05 -0700
Received: from SVR-ORW-FEM-06.mgc.mentorg.com ([147.34.97.120]) by
	svr-orw-fem-01.mgc.mentorg.com over TLS secured channel with
	Microsoft SMTPSVC(6.0.3790.4675); Thu, 10 Apr 2014 13:59:04 -0700
Received: from localhost.localdomain (147.34.91.1) by
	svr-orw-fem-06.mgc.mentorg.com (147.34.97.120) with Microsoft SMTP
	Server (TLS) id 14.2.247.3; Thu, 10 Apr 2014 13:59:04 -0700
Message-ID: <53470616.9020502@mentor.com>
Date: Thu, 10 Apr 2014 15:59:02 -0500
From: Nathan Lynch <Nathan_Lynch@mentor.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Kees Cook <keescook@google.com>
Subject: Re: [PATCH v5] ARM: vDSO gettimeofday using generic timer
	architecture
References: <1395695873-12807-1-git-send-email-nathan_lynch@mentor.com>
	<CAGXu5jKojxJyhKSpPtLDT8Cw4wwUiKauoFUP5xuSJnKioDXGrQ@mail.gmail.com>
	<5334C04C.2050802@mentor.com>
	<CAGXu5jK01s1L=rF=gHKnks8scBvLY6uC_s7RO2+ecvp1Gw7wNg@mail.gmail.com>
In-Reply-To: 
 <CAGXu5jK01s1L=rF=gHKnks8scBvLY6uC_s7RO2+ecvp1Gw7wNg@mail.gmail.com>
X-OriginalArrivalTime: 10 Apr 2014 20:59:04.0767 (UTC)
	FILETIME=[B508A4F0:01CF54FF]
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20140410_135934_521034_6C162CD8 
X-CRM114-Status: GOOD (  16.49  )
X-Spam-Score: 0.0 (/)
Cc: Will Deacon <will.deacon@arm.com>,
	Russell King - ARM Linux <linux@arm.linux.org.uk>,
	David Riley <davidriley@google.com>,
	Steve Capper <steve.capper@linaro.org>,
	"linux-arm-kernel@lists.infradead.org"
	<linux-arm-kernel@lists.infradead.org>
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Hi Kees,

On 03/28/2014 01:42 PM, Kees Cook wrote:
> On Thu, Mar 27, 2014 at 5:20 PM, Nathan Lynch <Nathan_Lynch@mentor.com> wrote:
>> On 03/27/2014 06:06 PM, Kees Cook wrote:
>>> On Mon, Mar 24, 2014 at 2:17 PM, Nathan Lynch <nathan_lynch@mentor.com> wrote:
>>>> +
>>>> +/* assumes mmap_sem is write-locked */
>>>> +void arm_install_vdso(struct mm_struct *mm)
>>>> +{
>>>> +       unsigned long vdso_base;
>>>> +       int ret;
>>>> +
>>>> +       mm->context.vdso = ~0UL;
>>>> +
>>>> +       if (vdso_pagelist == NULL)
>>>> +               return;
>>>> +
>>>> +       vdso_base = get_unmapped_area(NULL, 0, vdso_mapping_len, 0, 0);
>>>
>>> While get_unmapped_area() should be returning an address that has been
>>> base-offset randomized, I notice that x86 actually moves its vdso to a
>>> random location near the stack instead (see vdso_addr() in
>>> arch/x86/vdso/vma.c), in theory to avoid a hole in memory and to
>>> separately randomize the vdso separately from heap and stack. I think
>>> a similar thing be a benefit on ARM too.
>>
>> OK, I'll look into this.  Perhaps a similar treatment for the sigpage?
> 
> Oh, yeah. Unless there's a reason not too, it would be nice, yes.

So I've checked into this, and it appears that get_unmapped_area already
returns addresses that are randomized with respect to the stack.

Using the instrumentation below on 3.14 without vdso patches:


I observe a reasonable distribution of offsets, doing something like:
# dmesg -c >/dev/null
# i=0; while ((i++<1000)); do /bin/true ; done
# dmesg | cut -d' ' -f 7 | sort -n | uniq -c

Likely I'm just misunderstanding something, but if not, I'm left
wondering what benefit the x86 vdso_addr algorithm (or something like
it) would provide.

diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
index 92f7b15dd221..672ad588e8d0 100644
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -480,28 +480,35 @@ const char *arch_vma_name(struct vm_area_struct *vma)
 static struct page *signal_page;
 extern struct page *get_signal_page(void);

 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
 {
 	struct mm_struct *mm = current->mm;
 	unsigned long addr;
+	long offset;
 	int ret;

 	if (!signal_page)
 		signal_page = get_signal_page();
 	if (!signal_page)
 		return -ENOMEM;

 	down_write(&mm->mmap_sem);
 	addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
 	if (IS_ERR_VALUE(addr)) {
 		ret = addr;
 		goto up_fail;
 	}

+	offset = addr - PAGE_ALIGN(mm->start_stack);
+
+	pr_info("pgoffset sigpage (%p) vs. start_stack (%p): %ld\n",
+		(void *)addr, (void *)PAGE_ALIGN(mm->start_stack),
+		offset >> PAGE_SHIFT);
+
 	ret = install_special_mapping(mm, addr, PAGE_SIZE,
 		VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
 		&signal_page);

 	if (ret == 0)
 		mm->context.sigpage = addr;