[PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

[PATCH v3 0/4] Allow customizable random offset to mmap_base address. · Daniel Cashman <hidden> · 2015-11-18
[PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Daniel Cashman <hidden> · 2015-11-18
[PATCH v3 2/4] arm: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-18
[PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-18
[PATCH v3 4/4] x86: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-18
Re: [PATCH v3 4/4] x86: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-19
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Will Deacon <hidden> · 2015-11-23
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-23
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Michael Ellerman <mpe@ellerman.id.au> · 2015-11-25
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-25
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Catalin Marinas <catalin.marinas@arm.com> · 2015-11-25
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Daniel Cashman <hidden> · 2015-11-25
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Andrey Ryabinin <ryabinin.a.a@gmail.com> · 2015-11-27
Re: [PATCH v3 3/4] arm64: mm: support ARCH_MMAP_RND_BITS. · Catalin Marinas <catalin.marinas@arm.com> · 2015-11-27
Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Daniel Cashman <hidden> · 2015-11-19
Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Andrew Morton <akpm@linux-foundation.org> · 2015-11-25
Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Kees Cook <hidden> · 2015-11-25
Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Daniel Cashman <hidden> · 2015-11-25
Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Michael Ellerman <mpe@ellerman.id.au> · 2015-11-25
Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR. · Daniel Cashman <hidden> · 2015-11-25
Re: [PATCH v3 0/4] Allow customizable random offset to mmap_base address. · Andrew Morton <akpm@linux-foundation.org> · 2015-11-25
Re: [PATCH v3 0/4] Allow customizable random offset to mmap_base address. · Daniel Cashman <hidden> · 2015-11-25
Re: [PATCH v3 0/4] Allow customizable random offset to mmap_base address. · Martin Schwidefsky <hidden> · 2015-11-26
Re: [PATCH v3 0/4] Allow customizable random offset to mmap_base address. · Michael Ellerman <mpe@ellerman.id.au> · 2015-11-26

From: Kees Cook <hidden>
Date: 2015-11-25 00:47:42
Also in: linux-mm, lkml

On Tue, Nov 24, 2015 at 4:40 PM, Andrew Morton
[off-list ref] wrote:

On Wed, 18 Nov 2015 15:20:05 -0800 Daniel Cashman [off-list ref] wrote:

quoted

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c

@@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
              .mode           = 0644,
              .proc_handler   = proc_doulongvec_minmax,
      },
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
+     {
+             .procname       = "mmap_rnd_bits",
+             .data           = &mmap_rnd_bits,
+             .maxlen         = sizeof(mmap_rnd_bits),
+             .mode           = 0644,

Is there any harm in permitting the attacker to read these values?

And is there any benefit in permitting non-attackers to read them?

I'm on the fence. Things like kernel/randomize_va_space is 644. But
since I don't see a benefit in exposing them, let's make them all 600
instead -- it's a new interface, better to keep it narrower now.

quoted

+             .proc_handler   = proc_dointvec_minmax,
+             .extra1         = &mmap_rnd_bits_min,
+             .extra2         = &mmap_rnd_bits_max,
+     },
+#endif
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
+     {
+             .procname       = "mmap_rnd_compat_bits",
+             .data           = &mmap_rnd_compat_bits,
+             .maxlen         = sizeof(mmap_rnd_compat_bits),
+             .mode           = 0644,
+             .proc_handler   = proc_dointvec_minmax,
+             .extra1         = &mmap_rnd_compat_bits_min,
+             .extra2         = &mmap_rnd_compat_bits_max,
+     },
+#endif

...

+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
+int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
+int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
+int mmap_rnd_bits = CONFIG_ARCH_MMAP_RND_BITS;
+#endif
+#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
+int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
+int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
+int mmap_rnd_compat_bits = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;

These could be __read_mostly.

If one believes in such things.  One effect of __read_mostly is to
clump the write-often stuff into the same cachelines and I've never
been convinced that one outweighs the other...

The _min and _max values should be const, actually, since they're
build-time selected. The _bits could easily be __read_mostly, yeah.

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help