From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752218AbdJTOMc (ORCPT ); Fri, 20 Oct 2017 10:12:32 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:47010 "EHLO mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751722AbdJTOMa (ORCPT ); Fri, 20 Oct 2017 10:12:30 -0400 X-Google-Smtp-Source: ABhQp+QiH/zYxbx7O69pM/u9qCQHbCSmHpesQr5ZIPxmkTMoPAnCi1hwgrT/zS757t28T/Bbpq1k8LNO53V7Mr2ej10= MIME-Version: 1.0 In-Reply-To: <20171020084542.mq2y2qsvbxzidhug@dhcp22.suse.cz> References: <20171004075059.bbx7madwgwflb7ky@dhcp22.suse.cz> <20171016134446.19910-1-mhocko@kernel.org> <20171016134446.19910-3-mhocko@kernel.org> <20171016184335.hj6osq7su24e75jz@dhcp22.suse.cz> <20171017090424.hfw64zumekcavgug@dhcp22.suse.cz> <20171019112001.fjqxazjb6sargrqa@dhcp22.suse.cz> <20171020084542.mq2y2qsvbxzidhug@dhcp22.suse.cz> From: Kees Cook Date: Fri, 20 Oct 2017 07:12:29 -0700 X-Google-Sender-Auth: XW3yQq-cFDuT2hJdUz2PBATyYGY Message-ID: Subject: Re: [PATCH 2/2] fs, elf: drop MAP_FIXED from initial ET_DYN segment To: Michal Hocko Cc: LKML , Linus Torvalds , Jiri Kosina , Al Viro , Oleg Nesterov , Ingo Molnar , Baoquan He Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 20, 2017 at 1:45 AM, Michal Hocko wrote: > On Thu 19-10-17 10:19:40, Kees Cook wrote: >> On Thu, Oct 19, 2017 at 4:20 AM, Michal Hocko wrote: >> > On Tue 17-10-17 13:01:04, Kees Cook wrote: >> >> On Tue, Oct 17, 2017 at 2:04 AM, Michal Hocko wrote: >> > [...] >> >> > I am not insisting on this patch but it seems to me is just makes a >> >> > recoverable state a failure. >> >> >> >> Right, I understand you're trying to make it recoverable. I'm >> >> suggesting that making it recoverable provides a way for an attack to >> >> abuse it, and that what we'd be recovering from is a case we should >> >> never ever see. >> >> >> >> Consider the case where through some future bug/feature, it's possible >> >> to put the stack at an arbitrary location during an exec. (We've >> >> worked to fix that already, but who knows what the future holds either >> >> through misfeatures or bugs.) If an attacker maps the stack over a >> >> large portion of the PIE exec range, patch 2 will result in vmmap >> >> searching out a location that isn't already allocated. This means that >> >> instead of the PIE ASLR choosing from the entire possible range, it >> >> will get limited to only the area where something isn't already >> >> overlapping. This would give an attacker the ability to control the >> >> PIE ASLR, possibly forcing it into a fixed location. >> > >> > Yes, I guess I understand that part. What is not clear to me exactly is >> > why this matters as we have the mmap_base randomized and not under the >> > control of the attacker. >> >> mmap_base is separate from the PIE base, so patch 2 would allow for a >> reduction of the PIE ASLR entropy in the case of a novel overlap >> attack. > > OK, it seems that I am just too dull see through your concerns here. I'm probably not explaining it well enough! :( > Anyway, are you willing to ack the patch 1 (when metag fix is included)? > I would resubmit in that case and ask for merging without patch 2. Yup, I really like patch 1: it protects us from "impossible" situations, which we know rarely stay impossible. :) -Kees -- Kees Cook Pixel Security