From patchwork Wed Aug 29 22:59:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 10581035 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 828005A4 for ; Wed, 29 Aug 2018 22:59:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 69D6C2B157 for ; Wed, 29 Aug 2018 22:59:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5E3872B16E; Wed, 29 Aug 2018 22:59:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3F0C2B157 for ; Wed, 29 Aug 2018 22:59:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CDE9C6B4E24; Wed, 29 Aug 2018 18:59:46 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id C8ED96B4E26; Wed, 29 Aug 2018 18:59:46 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B7E136B4E27; Wed, 29 Aug 2018 18:59:46 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) by kanga.kvack.org (Postfix) with ESMTP id 717F36B4E24 for ; Wed, 29 Aug 2018 18:59:46 -0400 (EDT) Received: by mail-pg1-f197.google.com with SMTP id q12-v6so3935577pgp.6 for ; Wed, 29 Aug 2018 15:59:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id; bh=WaV9YvXaaqYV8E59jsttL9hgSsToLs9Sc/aMIRgv3cU=; b=j8HTlI4KoNc9uxh9bT903A+9sBRwtGHgeJZOL7de+dWjLAtUYyiZHP/C7TPDKLU8VT 96sr3lq51LzXjMWimJ/e/brpSHioFJheY9VHNZmApNSuGTwzJLYzLFnKzOsTome2VKJx JbPJ42Ze0Fx4I1pE/KDLQ6BN4ovSI8jhPC8cOM1wjVGK+8rrck1n65kOuBjnA0SHgW1k 3jqE2MrqsYBNpulJ9F7oRKxjn7TGZcK2jtIXC+emEQ1hg+Nfymc52RFmJ2YyRWYHNa8T o/h+P3KgOMv4lfdRd8yDqX7M2jB1vVRh3VGeLZVb3B780Ygl1a7d5qXepJVapJpPPk8X iu5g== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: APzg51ArS0uQKQ0SXH5tuhTRUEID+pCfwDnSMAP63f2tU8Lh7iPAVjfG g1oXajPbVMv1QMzTjiBTHPod2KZs3wBVRIhtsERMWswoJsUYMYibf3OKNkm6nWNJXDH5rSXBLcC 8AuD9u8c9CW1sSlSnnF2uurOhCgYGgyk/Uj7GS6DhDlaLpX0BxC1+Bvz+B81DnCm0FQ== X-Received: by 2002:a63:9248:: with SMTP id s8-v6mr7227239pgn.141.1535583586026; Wed, 29 Aug 2018 15:59:46 -0700 (PDT) X-Google-Smtp-Source: ANB0Vda1KtzF4Hi3b2hUdvKUUIT4X7SQB1OnD481ILXaqQSs5vZEMOn+PBtBzDaQiL/Ov3Djl8Aw X-Received: by 2002:a63:9248:: with SMTP id s8-v6mr7227219pgn.141.1535583585316; Wed, 29 Aug 2018 15:59:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535583584; cv=none; d=google.com; s=arc-20160816; b=EqkUCDlDzSrOS6rs9KphCAEy34rsS1w9jenuj2eZh9SrmBdrZT3j1PcoHLrJ5a+dh9 lulf/GtzZwRe/xLRnQYElslQ5zjk1I3HgQXtwQ16WABb58tj8SIa3HzMhZ+9kE476Pk+ z5nopHhpZ6xEItRAuhX97cElCKYWAL4tUf1QVplem3fZicRb23z6yDdcBwro1FkO1Mh2 kWwVicvb02gc0Fb0RrUV73TAv9Ma5Rgsy8uOKfhBP0nmgm0/qOeJ4/CHVwFR1URPKKGA kHlJxFHwnECda0N/FpmD7d96SAT1ZORFg+D/6GMwzbakaBYR5AbQMeTa7/L3m6Snuj7s 0qLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:arc-authentication-results; bh=WaV9YvXaaqYV8E59jsttL9hgSsToLs9Sc/aMIRgv3cU=; b=ywmlLxZzf9gjWbuLbP4x8p19VgHoH2x91jRMijGKY3gZJrWt8Axwu1zQi3XbuC8uoG 2w/ZS7QiZSHJDUBhxW59cQPSCMMSLz46b3oQ1uKhnReV4GQyWojWjcsyrz4Zqb8wVocT yYzJO9wke804VBmav5U/gXeskZQTr0qvbXYWCrdsu2yx2+eMQfSOiVGjpo9moDJYvTNc +HFiPaF5VfT41qZ9sPEb0eN7iZ0LnbN2Kuac93ajKjmua5tyosJjxBamR1j+mpi4Cg9k ULI59XM82gT6OOtaUyMbPMHzU+f+K74ixKLAm+BW6keaZbe9rVYejd7hUSfBuevDjwoQ szLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20]) by mx.google.com with ESMTPS id o13-v6si4876523pll.86.2018.08.29.15.59.44 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Aug 2018 15:59:44 -0700 (PDT) Received-SPF: pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Aug 2018 15:59:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,305,1531810800"; d="scan'208";a="85609392" Received: from rpedgeco-desk5.jf.intel.com ([10.54.75.168]) by fmsmga001.fm.intel.com with ESMTP; 29 Aug 2018 15:59:41 -0700 From: Rick Edgecombe To: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, daniel@iogearbox.net, jannh@google.com, keescook@chromium.org Cc: kristen@linux.intel.com, dave.hansen@intel.com, arjan@linux.intel.com, Rick Edgecombe Subject: [PATCH v4 0/3] KASLR feature to randomize each loadable module Date: Wed, 29 Aug 2018 15:59:36 -0700 Message-Id: <1535583579-6138-1-git-send-email-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.7.4 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hi, This is v4 of the "KASLR feature to randomize each loadable module" patchset. The purpose is to increase the randomization and also to make the modules randomized in relation to each other instead of just the base, so that if one module leaks the location of the others can't be inferred. It is enabled for x86_64 for now. V4 is a few small fixes. I humbly think this is in pretty good shape at this point, unless anyone has any comments. The only other big change I was considering was moving the new randomization algorithm into vmalloc so it could be re-used for other architectures or possibly other vmalloc usages. A few words on how this was tested - As previously mentioned, the entropy estimates were done using extracted module text sizes from the in-tree modules. These were also used to run 100,000's of simulated module allocations by calling module_alloc from a test module, including testing until allocation failure. The simulations kept track of every allocation address to make sure there were no collisions, and verified memory was actually mapped. In addition the __vmalloc_node_try_addr function has a suite of unit tests that verify for a bunch of edge cases that it: - Allows for allocations when it should - Reports the right error code if it collides with a lazy-free area or real allocation - Verifies it frees a lazy free area when it should These synthetic tests were also how the performance metrics were gathered. Changes for V4: - Fix issue caused by KASAN, kmemleak being provided different allocation lengths (padding). - Avoid kmalloc until sure its needed in __vmalloc_node_try_addr. - Fix for debug file hang when the last VA is a lazy purge area - Fixed issues reported by 0-day build system. Changes for V3: - Code cleanup based on internal feedback. (thanks to Dave Hansen and Andriy Shevchenko) - Slight refactor of existing algorithm to more cleanly live along side new one. - BPF synthetic benchmark Changes for V2: - New implementation of __vmalloc_node_try_addr based on the __vmalloc_node_range implementation, that only flushes TLB when needed. - Modified module loading algorithm to try to reduce the TLB flushes further. - Increase "random area" tries in order to increase the number of modules that can get high randomness. - Increase "random area" size to 2/3 of module area in order to increase the number of modules that can get high randomness. - Fix for 0day failures on other architectures. - Fix for wrong debugfs permissions. (thanks to Jann Horn) - Spelling fix. (thanks to Jann Horn) - Data on module_alloc performance and TLB flushes. (brought up by Kees Cook and Jann Horn) - Data on memory usage. (suggested by Jann) Rick Edgecombe (3): vmalloc: Add __vmalloc_node_try_addr function x86/modules: Increase randomization for modules vmalloc: Add debugfs modfraginfo arch/x86/include/asm/pgtable_64_types.h | 7 + arch/x86/kernel/module.c | 165 ++++++++++++++++--- include/linux/vmalloc.h | 3 + mm/vmalloc.c | 279 +++++++++++++++++++++++++++++++- 4 files changed, 429 insertions(+), 25 deletions(-)