All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] x86: Enable full randomization on i386 and X86_32.
@ 2016-03-10 19:51 Hector Marco-Gisbert
  2016-03-10 20:23 ` Kees Cook
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Hector Marco-Gisbert @ 2016-03-10 19:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: akpm, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86,
	kees Cook, Hector Marco-Gisbert, Ismael Ripoll Ripoll

Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
the stack and the executable are randomized but not other mmapped files
(libraries, vDSO, etc.). This patch enables randomization for the
libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. 

By default on i386 there are 8 bits for the randomization of the libraries,
vDSO and mmaps which only uses 1MB of VA.

This patch preserves the original randomness, using 1MB of VA out of 3GB or
4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.

The first obvious security benefit is that all objects are randomized (not
only the stack and the executable) in legacy mode which highly increases
the ASLR effectiveness, otherwise the attackers may use these
non-randomized areas. But also sensitive setuid/setgid applications are
more secure because currently, attackers can disable the randomization of
these applications by setting the ulimit stack to "unlimited". This is a
very old and widely known trick to disable the ASLR in i386 which has been
allowed for too long.

Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
personality flag, but fortunately this doesn't work on setuid/setgid
applications because there is security checks which clear Security-relevant
flags. 

This patch always randomizes the mmap_legacy_base address, removing the
possibility to disable the ASLR by setting the stack to "unlimited".


Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll Ripoll <iripoll@upv.es>
---
 arch/x86/mm/mmap.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 72bb52f..d2dc043 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
 }
 
 /*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
-	if (mmap_is_ia32())
-		return TASK_UNMAPPED_BASE;
-	else
-		return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
  * This function, called very early during the creation of a new
  * process VM image, sets up which VM layout function to use:
  */
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
 	if (current->flags & PF_RANDOMIZE)
 		random_factor = arch_mmap_rnd();
 
-	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+	mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
 
 	if (mmap_is_legacy()) {
 		mm->mmap_base = mm->mmap_legacy_base;
-- 
1.9.1

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
  2016-03-10 19:51 [PATCH] x86: Enable full randomization on i386 and X86_32 Hector Marco-Gisbert
@ 2016-03-10 20:23 ` Kees Cook
  2016-03-10 20:53   ` Arjan van de Ven
  2016-03-11  8:51 ` Ingo Molnar
  2016-03-12 15:15 ` [tip:x86/mm] x86/mm/32: " tip-bot for Hector Marco-Gisbert
  2 siblings, 1 reply; 8+ messages in thread
From: Kees Cook @ 2016-03-10 20:23 UTC (permalink / raw)
  To: Hector Marco-Gisbert
  Cc: LKML, Andrew Morton, Thomas Gleixner, Ingo Molnar,
	H. Peter Anvin, x86, Ismael Ripoll Ripoll, Harvey Harrison,
	Arjan van de Ven

On Thu, Mar 10, 2016 at 11:51 AM, Hector Marco-Gisbert <hecmargi@upv.es> wrote:
> Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
> the stack and the executable are randomized but not other mmapped files
> (libraries, vDSO, etc.). This patch enables randomization for the
> libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
>
> By default on i386 there are 8 bits for the randomization of the libraries,
> vDSO and mmaps which only uses 1MB of VA.
>
> This patch preserves the original randomness, using 1MB of VA out of 3GB or
> 4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
>
> The first obvious security benefit is that all objects are randomized (not
> only the stack and the executable) in legacy mode which highly increases
> the ASLR effectiveness, otherwise the attackers may use these
> non-randomized areas. But also sensitive setuid/setgid applications are
> more secure because currently, attackers can disable the randomization of
> these applications by setting the ulimit stack to "unlimited". This is a
> very old and widely known trick to disable the ASLR in i386 which has been
> allowed for too long.
>
> Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
> personality flag, but fortunately this doesn't work on setuid/setgid
> applications because there is security checks which clear Security-relevant
> flags.
>
> This patch always randomizes the mmap_legacy_base address, removing the
> possibility to disable the ASLR by setting the stack to "unlimited".
>
>
> Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
> Signed-off-by: Ismael Ripoll Ripoll <iripoll@upv.es>

Thanks! This has bugged me for a long time. :)

Acked-by: Kees Cook <keescook@chromium.org>

Arjan, or other folks, can you remember why x86_32 disabled mmap
randomization here? There doesn't seem to be a good reason for it that
I see.

-Kees

> ---
>  arch/x86/mm/mmap.c | 14 +-------------
>  1 file changed, 1 insertion(+), 13 deletions(-)
>
> diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
> index 72bb52f..d2dc043 100644
> --- a/arch/x86/mm/mmap.c
> +++ b/arch/x86/mm/mmap.c
> @@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
>  }
>
>  /*
> - * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
> - * does, but not when emulating X86_32
> - */
> -static unsigned long mmap_legacy_base(unsigned long rnd)
> -{
> -       if (mmap_is_ia32())
> -               return TASK_UNMAPPED_BASE;
> -       else
> -               return TASK_UNMAPPED_BASE + rnd;
> -}
> -
> -/*
>   * This function, called very early during the creation of a new
>   * process VM image, sets up which VM layout function to use:
>   */
> @@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
>         if (current->flags & PF_RANDOMIZE)
>                 random_factor = arch_mmap_rnd();
>
> -       mm->mmap_legacy_base = mmap_legacy_base(random_factor);
> +       mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
>
>         if (mmap_is_legacy()) {
>                 mm->mmap_base = mm->mmap_legacy_base;
> --
> 1.9.1
>



-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
  2016-03-10 20:23 ` Kees Cook
@ 2016-03-10 20:53   ` Arjan van de Ven
  2016-03-10 21:05     ` Kees Cook
  0 siblings, 1 reply; 8+ messages in thread
From: Arjan van de Ven @ 2016-03-10 20:53 UTC (permalink / raw)
  To: Kees Cook, Hector Marco-Gisbert
  Cc: LKML, Andrew Morton, Thomas Gleixner, Ingo Molnar,
	H. Peter Anvin, x86, Ismael Ripoll Ripoll, Harvey Harrison

> Arjan, or other folks, can you remember why x86_32 disabled mmap
> randomization here? There doesn't seem to be a good reason for it that
> I see.

for unlimited stack it got really messy with threaded apps.

anyway, I don't mind seeing if this will indeed work, with time running out
where 32 bit is going extinct... in a few years we just won't have enough
testing on this kind of change anymore.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
  2016-03-10 20:53   ` Arjan van de Ven
@ 2016-03-10 21:05     ` Kees Cook
  2016-03-11  8:53       ` Ingo Molnar
  0 siblings, 1 reply; 8+ messages in thread
From: Kees Cook @ 2016-03-10 21:05 UTC (permalink / raw)
  To: Arjan van de Ven, Ingo Molnar
  Cc: Hector Marco-Gisbert, LKML, Andrew Morton, Thomas Gleixner,
	H. Peter Anvin, x86, Ismael Ripoll Ripoll, Harvey Harrison

On Thu, Mar 10, 2016 at 12:53 PM, Arjan van de Ven
<arjan@linux.intel.com> wrote:
>> Arjan, or other folks, can you remember why x86_32 disabled mmap
>> randomization here? There doesn't seem to be a good reason for it that
>> I see.
>
>
> for unlimited stack it got really messy with threaded apps.

Seems like it'd only cause problems for really really giant processes?
(I think it's telling that the other 32-bit archs don't disable ASLR
in this case...)

> anyway, I don't mind seeing if this will indeed work, with time running out
> where 32 bit is going extinct... in a few years we just won't have enough
> testing on this kind of change anymore.

Sounds good. Ingo, can you pull this in and we can try it for -next?

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
  2016-03-10 19:51 [PATCH] x86: Enable full randomization on i386 and X86_32 Hector Marco-Gisbert
  2016-03-10 20:23 ` Kees Cook
@ 2016-03-11  8:51 ` Ingo Molnar
  2016-03-12 15:15 ` [tip:x86/mm] x86/mm/32: " tip-bot for Hector Marco-Gisbert
  2 siblings, 0 replies; 8+ messages in thread
From: Ingo Molnar @ 2016-03-11  8:51 UTC (permalink / raw)
  To: Hector Marco-Gisbert
  Cc: linux-kernel, akpm, Thomas Gleixner, Ingo Molnar, H. Peter Anvin,
	x86, kees Cook, Ismael Ripoll Ripoll


* Hector Marco-Gisbert <hecmargi@upv.es> wrote:

> Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
> the stack and the executable are randomized but not other mmapped files
> (libraries, vDSO, etc.). This patch enables randomization for the
> libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. 
> 
> By default on i386 there are 8 bits for the randomization of the libraries,
> vDSO and mmaps which only uses 1MB of VA.
> 
> This patch preserves the original randomness, using 1MB of VA out of 3GB or
> 4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
> 
> The first obvious security benefit is that all objects are randomized (not
> only the stack and the executable) in legacy mode which highly increases
> the ASLR effectiveness, otherwise the attackers may use these
> non-randomized areas. But also sensitive setuid/setgid applications are
> more secure because currently, attackers can disable the randomization of
> these applications by setting the ulimit stack to "unlimited". This is a
> very old and widely known trick to disable the ASLR in i386 which has been
> allowed for too long.
> 
> Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
> personality flag, but fortunately this doesn't work on setuid/setgid
> applications because there is security checks which clear Security-relevant
> flags. 
> 
> This patch always randomizes the mmap_legacy_base address, removing the
> possibility to disable the ASLR by setting the stack to "unlimited".
> 
> 
> Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
> Signed-off-by: Ismael Ripoll Ripoll <iripoll@upv.es>

This signoff line is not valid (primary author is first SOB line, patch submitted 
is last SOB line), I've changed the second Signed-off-by to an Acked-by.

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
  2016-03-10 21:05     ` Kees Cook
@ 2016-03-11  8:53       ` Ingo Molnar
  2016-03-11 16:19         ` Kees Cook
  0 siblings, 1 reply; 8+ messages in thread
From: Ingo Molnar @ 2016-03-11  8:53 UTC (permalink / raw)
  To: Kees Cook
  Cc: Arjan van de Ven, Ingo Molnar, Hector Marco-Gisbert, LKML,
	Andrew Morton, Thomas Gleixner, H. Peter Anvin, x86,
	Ismael Ripoll Ripoll, Harvey Harrison


* Kees Cook <keescook@chromium.org> wrote:

> On Thu, Mar 10, 2016 at 12:53 PM, Arjan van de Ven
> <arjan@linux.intel.com> wrote:
> >> Arjan, or other folks, can you remember why x86_32 disabled mmap
> >> randomization here? There doesn't seem to be a good reason for it that
> >> I see.
> >
> >
> > for unlimited stack it got really messy with threaded apps.
> 
> Seems like it'd only cause problems for really really giant processes?
> (I think it's telling that the other 32-bit archs don't disable ASLR
> in this case...)

IIRC there was some sort of specific breakage with unlimited stack apps - I don't 
remember the exact details.

> > anyway, I don't mind seeing if this will indeed work, with time running out 
> > where 32 bit is going extinct... in a few years we just won't have enough 
> > testing on this kind of change anymore.
> 
> Sounds good. Ingo, can you pull this in and we can try it for -next?

Ok, we can certainly try. If there's breakage with old distros then we might need 
to put this behind a legacy Kconfig switch.

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
  2016-03-11  8:53       ` Ingo Molnar
@ 2016-03-11 16:19         ` Kees Cook
  0 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2016-03-11 16:19 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: Arjan van de Ven, Ingo Molnar, Hector Marco-Gisbert, LKML,
	Andrew Morton, Thomas Gleixner, H. Peter Anvin, x86,
	Ismael Ripoll Ripoll, Harvey Harrison

On Fri, Mar 11, 2016 at 12:53 AM, Ingo Molnar <mingo@kernel.org> wrote:
>
> * Kees Cook <keescook@chromium.org> wrote:
>
>> On Thu, Mar 10, 2016 at 12:53 PM, Arjan van de Ven
>> <arjan@linux.intel.com> wrote:
>> >> Arjan, or other folks, can you remember why x86_32 disabled mmap
>> >> randomization here? There doesn't seem to be a good reason for it that
>> >> I see.
>> >
>> >
>> > for unlimited stack it got really messy with threaded apps.
>>
>> Seems like it'd only cause problems for really really giant processes?
>> (I think it's telling that the other 32-bit archs don't disable ASLR
>> in this case...)
>
> IIRC there was some sort of specific breakage with unlimited stack apps - I don't
> remember the exact details.
>
>> > anyway, I don't mind seeing if this will indeed work, with time running out
>> > where 32 bit is going extinct... in a few years we just won't have enough
>> > testing on this kind of change anymore.
>>
>> Sounds good. Ingo, can you pull this in and we can try it for -next?
>
> Ok, we can certainly try. If there's breakage with old distros then we might need
> to put this behind a legacy Kconfig switch.

Okay, sounds good. Thanks!

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [tip:x86/mm] x86/mm/32: Enable full randomization on i386 and X86_32
  2016-03-10 19:51 [PATCH] x86: Enable full randomization on i386 and X86_32 Hector Marco-Gisbert
  2016-03-10 20:23 ` Kees Cook
  2016-03-11  8:51 ` Ingo Molnar
@ 2016-03-12 15:15 ` tip-bot for Hector Marco-Gisbert
  2 siblings, 0 replies; 8+ messages in thread
From: tip-bot for Hector Marco-Gisbert @ 2016-03-12 15:15 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: arjan, mingo, iripoll, keescook, linux-kernel, hpa, tglx,
	hecmargi, peterz, torvalds

Commit-ID:  8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
Gitweb:     http://git.kernel.org/tip/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
Author:     Hector Marco-Gisbert <hecmargi@upv.es>
AuthorDate: Thu, 10 Mar 2016 20:51:00 +0100
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Fri, 11 Mar 2016 09:53:19 +0100

x86/mm/32: Enable full randomization on i386 and X86_32

Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
the stack and the executable are randomized but not other mmapped files
(libraries, vDSO, etc.). This patch enables randomization for the
libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.

By default on i386 there are 8 bits for the randomization of the libraries,
vDSO and mmaps which only uses 1MB of VA.

This patch preserves the original randomness, using 1MB of VA out of 3GB or
4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.

The first obvious security benefit is that all objects are randomized (not
only the stack and the executable) in legacy mode which highly increases
the ASLR effectiveness, otherwise the attackers may use these
non-randomized areas. But also sensitive setuid/setgid applications are
more secure because currently, attackers can disable the randomization of
these applications by setting the ulimit stack to "unlimited". This is a
very old and widely known trick to disable the ASLR in i386 which has been
allowed for too long.

Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
personality flag, but fortunately this doesn't work on setuid/setgid
applications because there is security checks which clear Security-relevant
flags.

This patch always randomizes the mmap_legacy_base address, removing the
possibility to disable the ASLR by setting the stack to "unlimited".

Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Acked-by: Ismael Ripoll Ripoll <iripoll@upv.es>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: akpm@linux-foundation.org
Cc: kees Cook <keescook@chromium.org>
Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/mm/mmap.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 96bd1e2..389939f 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
 }
 
 /*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
-	if (mmap_is_ia32())
-		return TASK_UNMAPPED_BASE;
-	else
-		return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
  * This function, called very early during the creation of a new
  * process VM image, sets up which VM layout function to use:
  */
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
 	if (current->flags & PF_RANDOMIZE)
 		random_factor = arch_mmap_rnd();
 
-	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+	mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
 
 	if (mmap_is_legacy()) {
 		mm->mmap_base = mm->mmap_legacy_base;

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2016-03-12 15:16 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-10 19:51 [PATCH] x86: Enable full randomization on i386 and X86_32 Hector Marco-Gisbert
2016-03-10 20:23 ` Kees Cook
2016-03-10 20:53   ` Arjan van de Ven
2016-03-10 21:05     ` Kees Cook
2016-03-11  8:53       ` Ingo Molnar
2016-03-11 16:19         ` Kees Cook
2016-03-11  8:51 ` Ingo Molnar
2016-03-12 15:15 ` [tip:x86/mm] x86/mm/32: " tip-bot for Hector Marco-Gisbert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.