From: Ilya Smith <blackzert@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Michal Hocko <mhocko@suse.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
Hugh Dickins <hughd@google.com>,
Matthew Wilcox <willy@infradead.org>,
Helge Deller <deller@gmx.de>,
Andrea Arcangeli <aarcange@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Date: Thu, 1 Mar 2018 16:52:12 +0300 [thread overview]
Message-ID: <5E526DB1-08ED-4BD9-AD33-A2EBCC95091E@gmail.com> (raw)
In-Reply-To: <CAGXu5jLY4eX5BMU8-2HFr2myjSL717KE-m_SAQp1yeu=cg+w7g@mail.gmail.com>
> On 28 Feb 2018, at 22:54, Kees Cook <keescook@chromium.org> wrote:
>
> I was trying to understand the target entropy level, and I'm worried
> it's a bit biased. For example, if the first allocation lands at 1/4th
> of the memory space, the next allocation (IIUC) has a 50% chance of
> falling on either side of it. If it goes on the small side, it then
> has much less entropy than if it had gone on the other side. I think
> this may be less entropy than choosing a random address and just
> seeing if it fits or not. Dealing with collisions could be done either
> by pushing the address until it doesn't collide or picking another
> random address, etc. This is probably more expensive, though, since it
> would need to walk the vma tree repeatedly. Anyway, I was ultimately
> curious about your measured entropy and what alternatives you
> considered.
Let me please start with the options we have here.
Let's pretend we need to choose random address from free memory pool. Let’s
pretend we have an array of gaps sorted by size of gap descending. First we
find the highest index satisfies requested length. For each suitable gap (with
less index) we count how many pages in this gap satisfies request. And compute
total count of pages satisfies request. Now we get random by module of total
number. Subtracting from this value count of suitable gap pages for gaps until
this value greater we will find needed gap and offset inside it. Add gap start
to offset we will randomly choose suitable address.
In this scheme we have to keep array of gaps. Each time address space is
changed we have to keep the gaps array consistent and apply this changes. It is
a very big overhead on any change.
Pure random looks really expensive. Lets try to improve something.
We can’t just choose random address and try do it again and again until we find
something - this approach has non-deterministic behaviour. Nobody knows when it
stops. Same if we try to walk tree in random direction.
We can walk tree and try to build array of suitable gaps and choose something
from there. In my current approach (proof of concept) length of array is 1 and
thats why last gaps would be chosen with more probability. I’m agree. It is
possible to increase array spending some memory. For example struct mm may have
to array of 1024 gaps. We do the same, walk tree and randomly fill this array (
everything locked under write_mem semaphore). When we filled it or walked whole
tree - choose gap randomly. What do you think about it?
Thanks,
Ilya
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-03-01 13:52 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 13:13 Ilya Smith
2018-02-27 20:52 ` Kees Cook
2018-02-27 21:31 ` lazytyped
2018-02-28 17:13 ` Ilya Smith
2018-02-28 18:33 ` Matthew Wilcox
2018-02-28 21:02 ` Daniel Micay
2018-03-03 13:58 ` Ilya Smith
2018-03-03 21:00 ` Daniel Micay
2018-03-04 3:47 ` Matthew Wilcox
2018-03-04 20:56 ` Matthew Wilcox
2018-03-05 13:09 ` Ilya Smith
2018-03-05 14:23 ` Daniel Micay
2018-03-05 16:05 ` Ilya Smith
2018-03-05 16:23 ` Matthew Wilcox
2018-03-05 19:27 ` Ilya Smith
2018-03-05 19:47 ` Matthew Wilcox
2018-03-05 20:20 ` Ilya Smith
2018-03-02 20:30 ` Ilya Smith
2018-03-02 20:48 ` Matthew Wilcox
2018-03-03 15:13 ` Ilya Smith
2018-02-28 19:54 ` Kees Cook
2018-03-01 13:52 ` Ilya Smith [this message]
2018-03-02 7:17 ` 097eb0af45: kernel_BUG_at_mm/hugetlb.c kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5E526DB1-08ED-4BD9-AD33-A2EBCC95091E@gmail.com \
--to=blackzert@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=deller@gmx.de \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox