From patchwork Tue Sep 29 08:30:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Topi Miettinen X-Patchwork-Id: 11805225 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E6E08139A for ; Tue, 29 Sep 2020 08:30:45 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7A3D220773 for ; Tue, 29 Sep 2020 08:30:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qI2twJY8" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7A3D220773 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 9CAE96B005C; Tue, 29 Sep 2020 04:30:44 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 9549C8E0001; Tue, 29 Sep 2020 04:30:44 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 844BC6B0062; Tue, 29 Sep 2020 04:30:44 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0219.hostedemail.com [216.40.44.219]) by kanga.kvack.org (Postfix) with ESMTP id 5A62D6B005C for ; Tue, 29 Sep 2020 04:30:44 -0400 (EDT) Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id E8218181AE863 for ; Tue, 29 Sep 2020 08:30:43 +0000 (UTC) X-FDA: 77315427966.05.wish03_2614d8d27188 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin05.hostedemail.com (Postfix) with ESMTP id B75BE18080D73 for ; Tue, 29 Sep 2020 08:30:43 +0000 (UTC) X-Spam-Summary: 1,0,0,702a4dc424dee7b9,d41d8cd98f00b204,toiwoton@gmail.com,,RULES_HIT:2:41:355:379:541:800:960:973:988:989:1260:1311:1314:1345:1431:1437:1515:1535:1605:1730:1747:1777:1792:1801:2194:2198:2199:2200:2393:2526:2553:2559:2562:2693:2731:2903:2915:3138:3139:3140:3141:3142:3865:3866:3867:3868:3870:3871:3872:3874:4049:4120:4250:4321:4605:5007:6117:6119:6238:6261:6653:7514:7903:7904:7974:9413:10004:11026:11232:11473:11658:11914:12043:12291:12296:12297:12438:12517:12519:12555:12683:12895:12986:13146:13161:13229:13230:13894:14096:14394:14687:21080:21325:21444:21451:21627:21666:21795:21966:21990:30003:30051:30054:30069:30090,0,RBL:209.85.167.66:@gmail.com:.lbl8.mailshell.net-62.18.0.100 66.100.201.100;04ygxedtckwntsxsj591amh5oih33oc8zfjgttgapg87kencrkcdrjbppqy9pf4.g9ftw5rypq9o8th8papkunrycfkz4onfq4f8yiz5xi8ae5r6rwodkcwzq1m5eij.6-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_ rules:0: X-HE-Tag: wish03_2614d8d27188 X-Filterd-Recvd-Size: 9111 Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com [209.85.167.66]) by imf04.hostedemail.com (Postfix) with ESMTP for ; Tue, 29 Sep 2020 08:30:43 +0000 (UTC) Received: by mail-lf1-f66.google.com with SMTP id d15so4475519lfq.11 for ; Tue, 29 Sep 2020 01:30:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=zdcNvhsLXDPDWzr6/84kAWOcCyLclZOWnmKTMoIJAaA=; b=qI2twJY8ZYTaVx3Qu7YfLPeeQ8zOu23Qz1v2vEKQQ5Jd66WgpOC/icrA6a8NK+VmMn ucLJNPfhIT9voXuIce9bZcF2RN1WflibZ0k3nBOLrSgBYt5IgncNREcDpq4a8dhluRx2 gyvzGjWnI/EQSQvYLUAkMJWG4ke+G/SQT2FY6rfHETzNStfk0Ijw5L10RGQtN5fte2lD c65dLPyU2ZealXUHDM8GB/zu45SGTPgsNIi6lKh4bhP3WzcCBhOWvOEtUyCuyBRIWdZo tc6RIuu+Wjvp8/zOtuU7CZeM6qSWnKCPbCHK0OHFHONOkYrJGfYKlUrVUDrgup8aweAS Qotw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=zdcNvhsLXDPDWzr6/84kAWOcCyLclZOWnmKTMoIJAaA=; b=dr1yCZ/n8kBgpAAri2ljzifp4DQErieuAU//hulJfA7dVOxz2drUJiUUmLglZT63Sp QxOgYyBsJUkRTxrSa3F6gyaZsowzbTgtjb43yGy7JrGZA/hsuiSzOWJ8fUIwMZZPFgO/ 34qFPNL4fvqURIP9nlIwasTzPgs5W1R9wgsgQmBaAkUeFunTCy9yMJ6KTBL6P33Ri9si W5/4TrCTg8zHYfRxJNO2d2Ig99/b5etae34zmCm/9vnlDaDL1kDBp0PmmHi/mthICix1 13hQgENq2pPkiT/cMorzxVj0hXcD44crJseI1J7dqegUABP/0c5Vc6x+R3xq0h42V48q klZA== X-Gm-Message-State: AOAM532i8NiZGx8BAYARwCrWGKP997rPaZ1gIu7WYVDMQaO/WZ8mxB48 V8vlpt2Uf5y/hO/8SPidjqvU9lZrY+4= X-Google-Smtp-Source: ABdhPJzukMbQv/MA4Dn2ma2Cfj+EpTnYw1XFgOiHc7s9VQEb9kh3KzosWYXMCEHD75J42oLULfIpnA== X-Received: by 2002:ac2:4d8e:: with SMTP id g14mr893064lfe.386.1601368241118; Tue, 29 Sep 2020 01:30:41 -0700 (PDT) Received: from localhost.localdomain (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id j20sm3131978lfe.181.2020.09.29.01.30.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Sep 2020 01:30:40 -0700 (PDT) From: Topi Miettinen To: linux-mm@kvack.org Cc: Topi Miettinen Subject: [PATCH] mmap: Optional full ASLR for mmap(NULL, ...) Date: Tue, 29 Sep 2020 11:30:36 +0300 Message-Id: <20200929083036.4879-1-toiwoton@gmail.com> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Writing a new value of 3 to /proc/sys/kernel/randomize_va_space enables full randomization of memory mappings created with mmap(NULL, ...). With 2, the base of the VMA used for such mappings is random, but the mappings are created in predictable places within the VMA and in sequential order. With 3, new VMAs are created to fully randomize the mappings. On 32 bit systems this may cause problems due to increased VM fragmentation if the address space gets crowded. In this example, with value of 2, ld.so.cache, libc, an anonymous mmap and locale-archive are located close to each other: $ strace /bin/sync ... openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=189096, ...}) = 0 mmap(NULL, 189096, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7d9c1e7f2000 ... openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0n\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1839792, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7d9c1e7f0000 mmap(NULL, 1852680, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7d9c1e62b000 ... openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=5642592, ...}) = 0 mmap(NULL, 5642592, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7d9c1e0c9000 With 3, they are located in unrelated addresses: $ echo 3 > /proc/sys/kernel/randomize_va_space $ /bin/sync ... openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=189096, ...}) = 0 mmap(NULL, 189096, PROT_READ, MAP_PRIVATE, 3, 0) = 0xeda4fbea000 ... openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0n\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1839792, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8fb9c1d000 mmap(NULL, 1852680, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xaabd8598000 ... openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=5642592, ...}) = 0 mmap(NULL, 5642592, PROT_READ, MAP_PRIVATE, 3, 0) = 0xbe351ab8000 Signed-off-by: Topi Miettinen --- Documentation/admin-guide/hw-vuln/spectre.rst | 6 +++--- Documentation/admin-guide/sysctl/kernel.rst | 10 ++++++++++ init/Kconfig | 2 +- mm/mmap.c | 7 ++++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst index e05e581af5cf..9ea250522077 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -254,7 +254,7 @@ Spectre variant 2 left by the previous process will also be cleared. User programs should use address space randomization to make attacks - more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2). + more difficult (Set /proc/sys/kernel/randomize_va_space = 1, 2 or 3). 3. A virtualized guest attacking the host ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -499,8 +499,8 @@ Spectre variant 2 more overhead and run slower. User programs should use address space randomization - (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more - difficult. + (/proc/sys/kernel/randomize_va_space = 1, 2 or 3) to make attacks + more difficult. 3. VM mitigation ^^^^^^^^^^^^^^^^ diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst index d4b32cc32bb7..2573b8c2b360 100644 --- a/Documentation/admin-guide/sysctl/kernel.rst +++ b/Documentation/admin-guide/sysctl/kernel.rst @@ -1060,6 +1060,16 @@ that support this feature. Systems with ancient and/or broken binaries should be configured with ``CONFIG_COMPAT_BRK`` enabled, which excludes the heap from process address space randomization. + +3 Additionally enable full randomization of memory mappings created + with mmap(NULL, ...). With 2, the base of the VMA used for such + mappings is random, but the mappings are created in predictable + places within the VMA and in sequential order. With 3, new VMAs + are created to fully randomize the mappings. + + On 32 bit systems this may cause problems due to increased VM + fragmentation if the address space gets crowded. + == =========================================================================== diff --git a/init/Kconfig b/init/Kconfig index d6a0b31b13dc..c5ea2e694f6a 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1859,7 +1859,7 @@ config COMPAT_BRK also breaks ancient binaries (including anything libc5 based). This option changes the bootup default to heap randomization disabled, and can be overridden at runtime by setting - /proc/sys/kernel/randomize_va_space to 2. + /proc/sys/kernel/randomize_va_space to 2 or 3. On non-ancient distros (post-2000 ones) N is usually a safe choice. diff --git a/mm/mmap.c b/mm/mmap.c index 40248d84ad5f..489368f43af1 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -47,6 +47,7 @@ #include #include #include +#include #include #include @@ -206,7 +207,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) #ifdef CONFIG_COMPAT_BRK /* * CONFIG_COMPAT_BRK can still be overridden by setting - * randomize_va_space to 2, which will still cause mm->start_brk + * randomize_va_space to >= 2, which will still cause mm->start_brk * to be arbitrarily shifted */ if (current->brk_randomized) @@ -1407,6 +1408,10 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (mm->map_count > sysctl_max_map_count) return -ENOMEM; + /* Pick a random address even outside current VMAs? */ + if (!addr && randomize_va_space >= 3) + addr = arch_mmap_rnd(); + /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */