Thread (13 messages) 13 messages, 3 authors, 2017-06-26

Re: [PATCH 3/4] powerpc: Reduce ELF_ET_DYN_BASE

From: Kees Cook <hidden>
Date: 2017-06-26 18:27:06
Also in: linux-arch, linux-arm-kernel, linux-s390, lkml 

On Mon, Jun 26, 2017 at 6:04 AM, Michael Ellerman [off-list ref] wrote:
Kees Cook [off-list ref] writes:
quoted
On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman [off-list ref] wrote:
quoted
Kees Cook [off-list ref] writes:
quoted
Now that explicitly executed loaders are loaded in the mmap region,
position PIE binaries lower in the address space to avoid possible
collisions with mmap or stack regions. For 64-bit, align to 4GB to
allow runtimes to use the entire 32-bit address space for 32-bit
pointers.
The change log and subject are a bit out of whack with the actual patch
because previously we used 512MB.

How about?

  powerpc: Move ELF_ET_DYN_BASE to 4GB / 4MB

  Now that explicitly executed loaders are loaded in the mmap region,
  we have more freedom to decide where we position PIE binaries in the
  address space to avoid possible collisions with mmap or stack regions.

  For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
  address space for 32-bit pointers. On 32-bit use 4MB.
Good idea, thanks. I'll resend the series with the commit logs updated.
quoted
Is there any particular reasoning behind the 4MB value on 32-bit?
So, I've dug around a bit on this, and I *think* the rationale is to
avoid mapping a possible 4MB page table entry when it won't be using
at least a portion near the lower end (NULL address area covered
blocked by mmap_min_addr). It seems to be mainly tradition, though.
OK, that is obscure, especially for CPUs that don't have a 4MB page
size. But consistency across arches is probably best regardless.
Yeah, I like being not "close" to the NULL address, though the
definition of "close" has been various values like 64K (mmap_min_addr)
and 1M (x86 BIOS junk and new stack-gap size). 4MB is above even that,
so, I think we're fine there. It's what Windows has used, so it's
familiar and any new attack methodologies would at least be shared
across OSes and architectures, so we should "notice" any problem with
the value, and then we can adjust it if we need to.

-Kees

-- 
Kees Cook
Pixel Security
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help