From: Ilya Smith <blackzert@gmail.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Kees Cook <keescook@chromium.org>,
Michal Hocko <mhocko@kernel.org>,
Richard Henderson <rth@twiddle.net>,
ink@jurassic.park.msu.ru, mattst88@gmail.com,
Vineet Gupta <vgupta@synopsys.com>,
Russell King <linux@armlinux.org.uk>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
Ralf Baechle <ralf@linux-mips.org>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Yoshinori Sato <ysato@users.sourceforge.jp>,
Rich Felker <dalias@libc.org>,
"David S. Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
X86 ML <x86@kernel.org>,
nyc@holomorphy.com, Al Viro <viro@zeniv.linux.org.uk>,
Arnd Bergmann <arnd@arndb.de>,
Greg KH <gregkh@linuxfoundation.org>,
Deepa Dinamani <deepa.kernel@gmail.com>,
Hugh Dickins <hughd@google.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
Philippe Ombredanne <pombredanne@nexb.com>,
Andrew Morton <akpm@linux-foundation.org>,
Steve Capper <steve.capper@arm.com>,
Punit Agrawal <punit.agrawal@arm.com>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
Nick Piggin <npiggin@gmail.com>,
Bhupesh Sharma <bhsharma@redhat.com>,
Rik van Riel <riel@redhat.com>,
nitin.m.gupta@oracle.com,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Dan Williams <dan.j.williams@intel.com>, Jan Kara <jack@suse.cz>,
Ross Zwisler <ross.zwisler@linux.intel.com>,
Jerome Glisse <jglisse@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-alpha@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
linux-snps-arc@lists.infradead.org, linux-ia64@vger.kernel.org,
linux-metag@vger.kernel.org,
Linux MIPS Mailing List <linux-mips@linux-mips.org>,
linux-parisc <linux-parisc@vger.kernel.org>,
PowerPC <linuxppc-dev@lists.ozlabs.org>,
linux-s390 <linux-s390@vger.kernel.org>,
linux-sh <linux-sh@vger.kernel.org>,
sparclinux <sparclinux@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.
Date: Thu, 29 Mar 2018 00:07:35 +0300 [thread overview]
Message-ID: <B26CA69E-B804-4607-9697-853DFE24C616@gmail.com> (raw)
In-Reply-To: <20180327234904.GA27734@bombadil.infradead.org>
> On 28 Mar 2018, at 02:49, Matthew Wilcox <willy@infradead.org> wrote:
>
> On Tue, Mar 27, 2018 at 03:53:53PM -0700, Kees Cook wrote:
>> I agree: pushing this off to libc leaves a lot of things unprotected.
>> I think this should live in the kernel. The question I have is about
>> making it maintainable/readable/etc.
>>
>> The state-of-the-art for ASLR is moving to finer granularity (over
>> just base-address offset), so I'd really like to see this supported in
>> the kernel. We'll be getting there for other things in the future, and
>> I'd like to have a working production example for researchers to
>> study, etc.
>
> One thing we need is to limit the fragmentation of this approach.
> Even on 64-bit systems, we can easily get into a situation where there isn't
> space to map a contiguous terabyte.
As I wrote before, shift_random is introduced to be fragmentation limit. Even
without it, the main question here is ‘if we can’t allocate memory with N size
bytes, how many bytes we already allocated?’. From these point of view I
already showed in previous version of patch that if application uses not so big
memory allocations, it will have enough memory to use. If it uses XX Gigabytes
or Terabytes memory, this application has all chances to be exploited with
fully randomization or without. Since it is much easier to find(or guess) any
usable pointer, etc. For the instance you have only 128 terabytes of memory for
user space, so probability to exploit this application is 1/128 what is not
secure at all. This is very rough estimate but I try to make things easier to
understand.
Best regards,
Ilya
next prev parent reply other threads:[~2018-03-28 21:07 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-22 16:36 Ilya Smith
2018-03-22 16:36 ` [RFC PATCH v2 1/2] " Ilya Smith
2018-03-22 20:53 ` Andrew Morton
2018-03-23 17:43 ` Ilya Smith
2018-03-22 16:36 ` [RFC PATCH v2 2/2] Architecture defined limit on memory region random shift Ilya Smith
2018-03-22 20:54 ` Andrew Morton
2018-03-23 17:48 ` Ilya Smith
2018-03-23 17:49 ` Ilya Smith
2018-03-22 20:57 ` [RFC PATCH v2 0/2] Randomization of address chosen by mmap Andrew Morton
2018-03-23 17:25 ` Ilya Smith
2018-03-23 12:48 ` Matthew Wilcox
2018-03-23 17:55 ` Ilya Smith
2018-03-26 8:46 ` Michal Hocko
2018-03-26 19:45 ` Ilya Smith
2018-03-27 7:24 ` Michal Hocko
2018-03-27 13:51 ` Ilya Smith
2018-03-27 14:38 ` Michal Hocko
2018-03-28 18:47 ` Ilya Smith
2018-03-27 22:16 ` Theodore Y. Ts'o
2018-03-27 23:58 ` Rich Felker
2018-03-28 18:48 ` Ilya Smith
2018-03-27 22:53 ` Kees Cook
2018-03-27 23:49 ` Matthew Wilcox
2018-03-27 23:57 ` Kees Cook
2018-03-28 0:00 ` Rich Felker
2018-03-28 21:07 ` Luck, Tony
2018-04-03 0:11 ` Ilya Smith
2018-03-28 21:07 ` Ilya Smith [this message]
2018-03-23 18:00 ` Rich Felker
2018-03-23 19:06 ` Matthew Wilcox
2018-03-23 19:16 ` Rich Felker
2018-03-23 19:29 ` Matthew Wilcox
2018-03-23 19:35 ` Rich Felker
2018-03-28 4:50 ` Rob Landley
2018-03-30 7:55 ` Pavel Machek
2018-03-30 9:07 ` Ilya Smith
2018-03-30 9:57 ` Pavel Machek
2018-03-30 11:10 ` Ilya Smith
2018-03-30 13:33 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B26CA69E-B804-4607-9697-853DFE24C616@gmail.com \
--to=blackzert@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=bhsharma@redhat.com \
--cc=dalias@libc.org \
--cc=dan.j.williams@intel.com \
--cc=davem@davemloft.net \
--cc=deepa.kernel@gmail.com \
--cc=deller@gmx.de \
--cc=fenghua.yu@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=ink@jurassic.park.msu.ru \
--cc=jack@suse.cz \
--cc=jejb@parisc-linux.org \
--cc=jglisse@redhat.com \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kstewart@linuxfoundation.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-metag@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-mm@kvack.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mattst88@gmail.com \
--cc=mhocko@kernel.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=nitin.m.gupta@oracle.com \
--cc=npiggin@gmail.com \
--cc=nyc@holomorphy.com \
--cc=oleg@redhat.com \
--cc=paulus@samba.org \
--cc=pombredanne@nexb.com \
--cc=punit.agrawal@arm.com \
--cc=ralf@linux-mips.org \
--cc=riel@redhat.com \
--cc=ross.zwisler@linux.intel.com \
--cc=rth@twiddle.net \
--cc=schwidefsky@de.ibm.com \
--cc=sparclinux@vger.kernel.org \
--cc=steve.capper@arm.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=vgupta@synopsys.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=ysato@users.sourceforge.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox