From: Matthew Wilcox <willy@infradead.org>
To: Daniel Micay <danielmicay@gmail.com>
Cc: Ilya Smith <blackzert@gmail.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Michal Hocko <mhocko@suse.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
Hugh Dickins <hughd@google.com>, Helge Deller <deller@gmx.de>,
Andrea Arcangeli <aarcange@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Date: Sun, 4 Mar 2018 12:56:14 -0800 [thread overview]
Message-ID: <20180304205614.GC23816@bombadil.infradead.org> (raw)
In-Reply-To: <20180304034704.GB20725@bombadil.infradead.org>
On Sat, Mar 03, 2018 at 07:47:04PM -0800, Matthew Wilcox wrote:
> On Sat, Mar 03, 2018 at 04:00:45PM -0500, Daniel Micay wrote:
> > The main thing I'd like to see is just the option to get a guarantee
> > of enforced gaps around mappings, without necessarily even having
> > randomization of the gap size. It's possible to add guard pages in
> > userspace but it adds overhead by doubling the number of system calls
> > to map memory (mmap PROT_NONE region, mprotect the inner portion to
> > PROT_READ|PROT_WRITE) and *everything* using mmap would need to
> > cooperate which is unrealistic.
>
> So something like this?
>
> To use it, OR in PROT_GUARD(n) to the PROT flags of mmap, and it should
> pad the map by n pages. I haven't tested it, so I'm sure it's buggy,
> but it seems like a fairly cheap way to give us padding after every
> mapping.
>
> Running it on an old kernel will result in no padding, so to see if it
> worked or not, try mapping something immediately after it.
Thinking about this more ...
- When you call munmap, if you pass in the same (addr, length) that were
used for mmap, then it should unmap the guard pages as well (that
wasn't part of the patch, so it would have to be added)
- If 'addr' is higher than the mapped address, and length at least
reaches the end of the mapping, then I would expect the guard pages to
"move down" and be after the end of the newly-shortened mapping.
- If 'addr' is higher than the mapped address, and the length doesn't
reach the end of the old mapping, we split the old mapping into two.
I would expect the guard pages to apply to both mappings, insofar as
they'll fit. For an example, suppose we have a five-page mapping with
two guard pages (MMMMMGG), and then we unmap the fourth page. Now we
have a three-page mapping with one guard page followed immediately
by a one-page mapping with two guard pages (MMMGMGG).
I would say that mremap cannot change the number of guard pages.
Although I'm a little tempted to add an mremap flag to permit the mapping
to expand into the guard pages. That would give us a nice way to reserve
address space for a mapping we think is going to expand.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-03-04 20:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 13:13 Ilya Smith
2018-02-27 20:52 ` Kees Cook
2018-02-27 21:31 ` lazytyped
2018-02-28 17:13 ` Ilya Smith
2018-02-28 18:33 ` Matthew Wilcox
2018-02-28 21:02 ` Daniel Micay
2018-03-03 13:58 ` Ilya Smith
2018-03-03 21:00 ` Daniel Micay
2018-03-04 3:47 ` Matthew Wilcox
2018-03-04 20:56 ` Matthew Wilcox [this message]
2018-03-05 13:09 ` Ilya Smith
2018-03-05 14:23 ` Daniel Micay
2018-03-05 16:05 ` Ilya Smith
2018-03-05 16:23 ` Matthew Wilcox
2018-03-05 19:27 ` Ilya Smith
2018-03-05 19:47 ` Matthew Wilcox
2018-03-05 20:20 ` Ilya Smith
2018-03-02 20:30 ` Ilya Smith
2018-03-02 20:48 ` Matthew Wilcox
2018-03-03 15:13 ` Ilya Smith
2018-02-28 19:54 ` Kees Cook
2018-03-01 13:52 ` Ilya Smith
2018-03-02 7:17 ` 097eb0af45: kernel_BUG_at_mm/hugetlb.c kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180304205614.GC23816@bombadil.infradead.org \
--to=willy@infradead.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=blackzert@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=danielmicay@gmail.com \
--cc=deller@gmx.de \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox