Re: [RFC PATCH] Randomization of address chosen by mmap.

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Ilya Smith <blackzert@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Dan Williams <dan.j.williams@intel.com>,
	Michal Hocko <mhocko@suse.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Jan Kara <jack@suse.cz>, Jerome Glisse <jglisse@redhat.com>,
	Hugh Dickins <hughd@google.com>,
	Matthew Wilcox <willy@infradead.org>,
	Helge Deller <deller@gmx.de>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC PATCH] Randomization of address chosen by mmap.
Date: Wed, 28 Feb 2018 11:54:32 -0800	[thread overview]
Message-ID: <CAGXu5jLY4eX5BMU8-2HFr2myjSL717KE-m_SAQp1yeu=cg+w7g@mail.gmail.com> (raw)
In-Reply-To: <55C92196-5398-4C19-B7A7-6C122CD78F32@gmail.com>

On Wed, Feb 28, 2018 at 9:13 AM, Ilya Smith <blackzert@gmail.com> wrote:
>> On 27 Feb 2018, at 23:52, Kees Cook <keescook@chromium.org> wrote:
>> What are the two phases here? Could this second one get collapsed into
>> the first?
>>
>
> Let me explain.
> 1. we use current implementation to get larger address. Remember it as
> ‘right_vma’.
> 2. we walk tree from mm->mmap what is lowest vma.
> 3. we check if current vma gap satisfies length and low/high constrains
> 4. if so, we call random() to decide if we choose it. This how we randomly choose vma and gap
> 5. we walk tree from lowest vma to highest and ignore subtrees with less gap.
> we do it until reach ‘right_vma’
>
> Once we found gap, we may randomly choose address inside it.
>
>>> +       addr = get_random_long() % ((high - low) >> PAGE_SHIFT);
>>> +       addr = low + (addr << PAGE_SHIFT);
>>> +       return addr;
>>>
>>
>> How large are the gaps intended to be? Looking at the gaps on
>> something like Xorg they differ a lot.
>
> Sorry, I can’t get clue. What's the context? You tried patch or whats the case?

I was trying to understand the target entropy level, and I'm worried
it's a bit biased. For example, if the first allocation lands at 1/4th
of the memory space, the next allocation (IIUC) has a 50% chance of
falling on either side of it. If it goes on the small side, it then
has much less entropy than if it had gone on the other side. I think
this may be less entropy than choosing a random address and just
seeing if it fits or not. Dealing with collisions could be done either
by pushing the address until it doesn't collide or picking another
random address, etc. This is probably more expensive, though, since it
would need to walk the vma tree repeatedly. Anyway, I was ultimately
curious about your measured entropy and what alternatives you
considered.

-Kees

-- 
Kees Cook
Pixel Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2018-02-28 19:54 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-27 13:13 Ilya Smith
2018-02-27 20:52 ` Kees Cook
2018-02-27 21:31   ` lazytyped
2018-02-28 17:13   ` Ilya Smith
2018-02-28 18:33     ` Matthew Wilcox
2018-02-28 21:02       ` Daniel Micay
2018-03-03 13:58         ` Ilya Smith
2018-03-03 21:00           ` Daniel Micay
2018-03-04  3:47             ` Matthew Wilcox
2018-03-04 20:56               ` Matthew Wilcox
2018-03-05 13:09                 ` Ilya Smith
2018-03-05 14:23                   ` Daniel Micay
2018-03-05 16:05                     ` Ilya Smith
2018-03-05 16:23                   ` Matthew Wilcox
2018-03-05 19:27                     ` Ilya Smith
2018-03-05 19:47                       ` Matthew Wilcox
2018-03-05 20:20                         ` Ilya Smith
2018-03-02 20:30       ` Ilya Smith
2018-03-02 20:48         ` Matthew Wilcox
2018-03-03 15:13           ` Ilya Smith
2018-02-28 19:54     ` Kees Cook [this message]
2018-03-01 13:52       ` Ilya Smith
2018-03-02  7:17 ` 097eb0af45: kernel_BUG_at_mm/hugetlb.c kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5jLY4eX5BMU8-2HFr2myjSL717KE-m_SAQp1yeu=cg+w7g@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=blackzert@gmail.com \
    --cc=dan.j.williams@intel.com \
    --cc=deller@gmx.de \
    --cc=hughd@google.com \
    --cc=jack@suse.cz \
    --cc=jglisse@redhat.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@suse.com \
    --cc=oleg@redhat.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox