From: Topi Miettinen <toiwoton@gmail.com>
To: Mike Rapoport <rppt@kernel.org>
Cc: linux-hardening@vger.kernel.org, akpm@linux-foundation.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@kernel.org>, Jann Horn <jannh@google.com>,
Kees Cook <keescook@chromium.org>,
Linux API <linux-api@vger.kernel.org>,
Matthew Wilcox <willy@infradead.org>
Subject: Re: [PATCH] mm/vmalloc: randomize vmalloc() allocations
Date: Thu, 10 Dec 2020 21:58:33 +0200 [thread overview]
Message-ID: <37787c16-e188-89ae-a5fb-583fd97e6661@gmail.com> (raw)
In-Reply-To: <20201203065801.GH751215@kernel.org>
On 3.12.2020 8.58, Mike Rapoport wrote:
> On Wed, Dec 02, 2020 at 08:49:06PM +0200, Topi Miettinen wrote:
>> On 1.12.2020 23.45, Topi Miettinen wrote:
>>> Memory mappings inside kernel allocated with vmalloc() are in
>>> predictable order and packed tightly toward the low addresses. With
>>> new kernel boot parameter 'randomize_vmalloc=1', the entire area is
>>> used randomly to make the allocations less predictable and harder to
>>> guess for attackers.
>>>
>>
>> This also seems to randomize module addresses. I was going to check that
>> next, so nice surprise!
>
> Heh, that's because module_alloc() uses vmalloc() in that way or another :)
I got a bit further with really using vmalloc with
[VMALLOC_START..VMALLOC_END] for modules, but then inserting a module
fails because of the relocations:
[ 9.202856] module: overflow in relocation type 11 val ffffe1950e27f080
Type 11 is R_X86_64_32S expecting a 32 bits signed offset, so the loader
obviously can't fit the relocation from the highest 2GB to somewhere 32
TB lower.
The problem seems to be that the modules aren't really built as
position-independent shared objects with -fPIE/-fPIC, but instead
there's explicit -fno-PIE. I guess the modules also shouldn't use
-mcmodel=kernel. Though tweaking the flags shows that some combinations
aren't well supported (like ’-mindirect-branch=thunk-extern’ and
‘-mcmodel=large’ are not compatible) and the handwritten assembly code
also assumes 32 bit offsets.
A different approach could be to make the entire kernel relocatable to
lower addresses and then the modules could stay close nearby. I guess
the asm files aren't written with position independence in mind either.
But it seems that I'm finding and breaking lots of assumptions built in
to the system. What's the experts' opinion, is full module/kernel
randomization ever going to fly?
-Topi
next prev parent reply other threads:[~2020-12-10 19:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-01 21:45 [PATCH] mm/vmalloc: randomize vmalloc() allocations Topi Miettinen
2020-12-02 18:49 ` Topi Miettinen
2020-12-03 6:58 ` Mike Rapoport
2020-12-03 23:15 ` David Laight
2020-12-04 10:58 ` Topi Miettinen
2020-12-04 13:33 ` David Laight
2020-12-04 16:53 ` Topi Miettinen
2020-12-09 19:08 ` Topi Miettinen
2020-12-10 19:58 ` Topi Miettinen [this message]
2020-12-02 18:53 ` Matthew Wilcox
2020-12-02 21:28 ` Topi Miettinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=37787c16-e188-89ae-a5fb-583fd97e6661@gmail.com \
--to=toiwoton@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=rppt@kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).