From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=3KsH=DP=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A738CC43457
	for <linux-mm@archiver.kernel.org>; Thu,  8 Oct 2020 18:24:40 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0328E2076E
	for <linux-mm@archiver.kernel.org>; Thu,  8 Oct 2020 18:24:39 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IRLUvU6K"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0328E2076E
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 5AFA06B005C; Thu,  8 Oct 2020 14:24:39 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 53A236B005D; Thu,  8 Oct 2020 14:24:39 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4017E6B0062; Thu,  8 Oct 2020 14:24:39 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0007.hostedemail.com [216.40.44.7])
	by kanga.kvack.org (Postfix) with ESMTP id 0EDE46B005C
	for <linux-mm@kvack.org>; Thu,  8 Oct 2020 14:24:39 -0400 (EDT)
Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 8DE38181AE86C
	for <linux-mm@kvack.org>; Thu,  8 Oct 2020 18:24:38 +0000 (UTC)
X-FDA: 77349583836.26.earth73_5f0e0ae271da
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin26.hostedemail.com (Postfix) with ESMTP id 6E09A1804B668
	for <linux-mm@kvack.org>; Thu,  8 Oct 2020 18:24:38 +0000 (UTC)
X-HE-Tag: earth73_5f0e0ae271da
X-Filterd-Recvd-Size: 4520
Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com [209.85.218.68])
	by imf49.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu,  8 Oct 2020 18:24:37 +0000 (UTC)
Received: by mail-ej1-f68.google.com with SMTP id t25so9434165ejd.13
        for <linux-mm@kvack.org>; Thu, 08 Oct 2020 11:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Borjchw/TSeW3kJDI9UKxpuNWct0CBHNGPaPSuEeWc0=;
        b=IRLUvU6KvCA9S8YqNRovWPVwdRX38O6TQeYHK3U+O1R156cyJO7W0l5DeI6ZC6WDUj
         8bAcQcTGuQ80kphRc7K57wpCXH02eMHVeEat+TbOJfRp2LGKVnvmlu7XCq/8P8Khf7LI
         fJp/AB1ZS/Cdp9N99hecl6fZ5uRXvRFDepWAUt/clMIL5Cl2cJPK8QdHb/v7jbFDnO/U
         JwoRHe6FM8obRsuCAyuye38uRj58FOZqbWKkQF8WMSCds5U7Ao9OAMAKC/5RUN012jmW
         3yRJKx6UGAWBwIHpmBzHrBr1BAHD+I2YkdymeW0lrwPbzXjcY7dv0vNOyIqSBCl4i7og
         Rekg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Borjchw/TSeW3kJDI9UKxpuNWct0CBHNGPaPSuEeWc0=;
        b=jpU4ntWs3iGeaxIMz9FuxhHxrmFQKiaoTcOuRYscImp7X/q21mjVTjoCP+TppweGxp
         8dowudn5xWqR/W4zZ4FPWXZDv/Cj6AD1h6vrjwWwhnCThmNjU/EZoT4ZHkdZqp8BLhgQ
         hypnf46otflC9fD14UzRb31MCr0V3/MEU01ZqQmfnnnL2nWIKAydkzshTaoB3dweKitT
         BHpDve+f6VMOy1YZ/CZpzdyATKJy4u7DYWNQF62LLXwJcuaz7Pv9+Bsp10/7/aQV4Dxu
         +cVESR7fSv+Dl1wL3pCh4Tz/TS01zpAL8ficQx/QQsFsDFEfBK7ioZw8W+/KOGpzE+kD
         Fn2w==
X-Gm-Message-State: AOAM5309CsDVlbfmaAZttmdxTnu3Je004fVn7RzfHs4U/7ITfLCym3Zc
	GhKM2cai9BITRtJcceapg8wAZEfzrb9Lv2n9PJs4Gg==
X-Google-Smtp-Source: ABdhPJzL2QX6JHv/YMDr/k6dMfOuCOooSIAnhsR97uRydnSAr6eU9VWguUWdd7kXmEHnUTejzMEO8wZSq7maWqIl8UQ=
X-Received: by 2002:a17:906:fcae:: with SMTP id qw14mr10420740ejb.537.1602181476510;
 Thu, 08 Oct 2020 11:24:36 -0700 (PDT)
MIME-Version: 1.0
References: <20201008165408.38228-1-toiwoton@gmail.com> <CAG48ez1OU9PFQ06mf4L59SEmi6Vwxnao8RuVXH=dCiyMhqVwYA@mail.gmail.com>
 <3413d0c8-17c7-fbae-e5fa-74a918e61239@gmail.com>
In-Reply-To: <3413d0c8-17c7-fbae-e5fa-74a918e61239@gmail.com>
From: Jann Horn <jannh@google.com>
Date: Thu, 8 Oct 2020 20:24:10 +0200
Message-ID: <CAG48ez2bDCEKxUdFUQ2MAkJgKi1zN+h46ypC2zNr0a1fp-FqWQ@mail.gmail.com>
Subject: Re: [PATCH RESEND v2] mm: Optional full ASLR for mmap() and mremap()
To: Topi Miettinen <toiwoton@gmail.com>
Cc: linux-hardening@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>, 
	Linux-MM <linux-mm@kvack.org>, kernel list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000021, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Oct 8, 2020 at 8:10 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> On 8.10.2020 20.13, Jann Horn wrote:
> > On Thu, Oct 8, 2020 at 6:54 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> >> Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
> >> enables full randomization of memory mappings created with mmap(NULL,
> >> ...). With 2, the base of the VMA used for such mappings is random,
> >> but the mappings are created in predictable places within the VMA and
> >> in sequential order. With 3, new VMAs are created to fully randomize
> >> the mappings. Also mremap(..., MREMAP_MAYMOVE) will move the mappings
> >> even if not necessary.
> > [...]
> >> +       if ((flags & MREMAP_MAYMOVE) && randomize_va_space >= 3) {
> >> +               /*
> >> +                * Caller is happy with a different address, so let's
> >> +                * move even if not necessary!
> >> +                */
> >> +               new_addr = arch_mmap_rnd();
> >> +
> >> +               ret = mremap_to(addr, old_len, new_addr, new_len,
> >> +                               &locked, flags, &uf, &uf_unmap_early,
> >> +                               &uf_unmap);
> >> +               goto out;
> >> +       }
> >
> > You just pick a random number as the address, and try to place the
> > mapping there? Won't this fail if e.g. the old address range overlaps
> > with the new one, causing mremap_to() to bail out at "if (addr +
> > old_len > new_addr && new_addr + new_len > addr)"?
>
> Thanks for the review. I think overlap would be OK in this case and the
> check should be skipped.

No, mremap() can't deal with overlap (and trying to add such support
would make mremap() unnecessarily complicated).