From: Bhupesh Sharma <bhsharma@redhat.com>
To: linuxppc-dev@lists.ozlabs.org,
kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org
Cc: dcashman@google.com, mpe@ellerman.id.au, bhupesh.linux@gmail.com,
keescook@chromium.org, bhsharma@redhat.com, agraf@suse.com,
benh@kernel.crashing.org, paulus@samba.org, agust@denx.de,
alistair@popple.id.au, mporter@kernel.crashing.org,
vitb@kernel.crashing.org, oss@buserror.net,
galak@kernel.crashing.org, dcashman@android.com
Subject: [PATCH v3] powerpc: mm: support ARCH_MMAP_RND_BITS
Date: Wed, 29 Mar 2017 01:15:47 +0530 [thread overview]
Message-ID: <1490730347-5165-1-git-send-email-bhsharma@redhat.com> (raw)
powerpc arch_mmap_rnd() currently uses hard-coded values - (23-PAGE_SHIFT) for
32-bit and (30-PAGE_SHIFT) for 64-bit, to generate the random offset
for the mmap base address for a ASLR ELF.
This patch makes sure that powerpc mmap arch_mmap_rnd() implementation
is similar to other ARCHs (like x86, arm64) and uses mmap_rnd_bits
and helpers to generate the mmap address randomization.
The maximum and minimum randomization range values represent
a compromise between increased ASLR effectiveness and avoiding
address-space fragmentation.
Using the Kconfig option and suitable /proc tunable, platform
developers may choose where to place this compromise.
Also this patch keeps the default values as new minimums.
Signed-off-by: Bhupesh Sharma <bhsharma@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
* Changes since v2:
v2 can be seen here (https://patchwork.kernel.org/patch/9551509/)
- Changed a few minimum and maximum randomization ranges as per Michael's suggestion.
- Corrected Kees's email address in the Reviewed-by line.
- Added further comments in kconfig to explain how the address ranges were worked out.
* Changes since v1:
v1 can be seen here (https://lists.ozlabs.org/pipermail/linuxppc-dev/2017-February/153594.html)
- No functional change in this patch.
- Dropped PATCH 2/2 from v1 as recommended by Kees Cook.
arch/powerpc/Kconfig | 44 ++++++++++++++++++++++++++++++++++++++++++++
arch/powerpc/mm/mmap.c | 7 ++++---
2 files changed, 48 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 97a8bc8..84aae67 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -22,6 +22,48 @@ config MMU
bool
default y
+# min bits determined by the following formula:
+# VA_BITS - PAGE_SHIFT - CONSTANT
+# where,
+# VA_BITS = 46 bits for 64BIT and 4GB - 1 Page = 31 bits for 32BIT
+# CONSTANT = 16 for 64BIT and 8 for 32BIT
+config ARCH_MMAP_RND_BITS_MIN
+ default 5 if PPC_256K_PAGES && 32BIT # 31 - 18 - 8 = 5
+ default 7 if PPC_64K_PAGES && 32BIT # 31 - 16 - 8 = 7
+ default 9 if PPC_16K_PAGES && 32BIT # 31 - 14 - 8 = 9
+ default 11 if PPC_4K_PAGES && 32BIT # 31 - 12 - 8 = 11
+ default 12 if PPC_256K_PAGES && 64BIT # 46 - 18 - 16 = 12
+ default 14 if PPC_64K_PAGES && 64BIT # 46 - 16 - 16 = 14
+ default 16 if PPC_16K_PAGES && 64BIT # 46 - 14 - 16 = 16
+ default 18 if PPC_4K_PAGES && 64BIT # 46 - 12 - 16 = 18
+
+# max bits determined by the following formula:
+# VA_BITS - PAGE_SHIFT - CONSTANT
+# where,
+# VA_BITS = 46 bits for 64BIT, and 4GB - 1 Page = 31 bits for 32BIT
+# CONSTANT = 2, both for 64BIT and 32BIT
+config ARCH_MMAP_RND_BITS_MAX
+ default 11 if PPC_256K_PAGES && 32BIT # 31 - 18 - 2 = 11
+ default 13 if PPC_64K_PAGES && 32BIT # 31 - 16 - 2 = 13
+ default 15 if PPC_16K_PAGES && 32BIT # 31 - 14 - 2 = 15
+ default 17 if PPC_4K_PAGES && 32BIT # 31 - 12 - 2 = 17
+ default 26 if PPC_256K_PAGES && 64BIT # 46 - 18 - 2 = 26
+ default 28 if PPC_64K_PAGES && 64BIT # 46 - 16 - 2 = 28
+ default 30 if PPC_16K_PAGES && 64BIT # 46 - 14 - 2 = 30
+ default 32 if PPC_4K_PAGES && 64BIT # 46 - 12 - 2 = 32
+
+config ARCH_MMAP_RND_COMPAT_BITS_MIN
+ default 5 if PPC_256K_PAGES
+ default 7 if PPC_64K_PAGES
+ default 9 if PPC_16K_PAGES
+ default 11
+
+config ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default 11 if PPC_256K_PAGES
+ default 13 if PPC_64K_PAGES
+ default 15 if PPC_16K_PAGES
+ default 17
+
config HAVE_SETUP_PER_CPU_AREA
def_bool PPC64
@@ -142,6 +184,8 @@ config PPC
select HAVE_IRQ_EXIT_ON_IRQ_STACK
select HAVE_KERNEL_GZIP
select HAVE_KPROBES
+ select HAVE_ARCH_MMAP_RND_BITS
+ select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
select HAVE_KRETPROBES
select HAVE_LIVEPATCH if HAVE_DYNAMIC_FTRACE_WITH_REGS
select HAVE_MEMBLOCK
diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
index a5d9ef5..92a9355 100644
--- a/arch/powerpc/mm/mmap.c
+++ b/arch/powerpc/mm/mmap.c
@@ -61,11 +61,12 @@ unsigned long arch_mmap_rnd(void)
{
unsigned long rnd;
- /* 8MB for 32bit, 1GB for 64bit */
+#ifdef CONFIG_COMPAT
if (is_32bit_task())
- rnd = get_random_long() % (1<<(23-PAGE_SHIFT));
+ rnd = get_random_long() & ((1UL << mmap_rnd_compat_bits) - 1);
else
- rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT));
+#endif
+ rnd = get_random_long() & ((1UL << mmap_rnd_bits) - 1);
return rnd << PAGE_SHIFT;
}
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Bhupesh Sharma <bhsharma@redhat.com>
To: linuxppc-dev@lists.ozlabs.org,
kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org
Cc: dcashman@google.com, mpe@ellerman.id.au, bhupesh.linux@gmail.com,
keescook@chromium.org, bhsharma@redhat.com, agraf@suse.com,
benh@kernel.crashing.org, paulus@samba.org, agust@denx.de,
alistair@popple.id.au, mporter@kernel.crashing.org,
vitb@kernel.crashing.org, oss@buserror.net,
galak@kernel.crashing.org, dcashman@android.com
Subject: [kernel-hardening] [PATCH v3] powerpc: mm: support ARCH_MMAP_RND_BITS
Date: Wed, 29 Mar 2017 01:15:47 +0530 [thread overview]
Message-ID: <1490730347-5165-1-git-send-email-bhsharma@redhat.com> (raw)
powerpc arch_mmap_rnd() currently uses hard-coded values - (23-PAGE_SHIFT) for
32-bit and (30-PAGE_SHIFT) for 64-bit, to generate the random offset
for the mmap base address for a ASLR ELF.
This patch makes sure that powerpc mmap arch_mmap_rnd() implementation
is similar to other ARCHs (like x86, arm64) and uses mmap_rnd_bits
and helpers to generate the mmap address randomization.
The maximum and minimum randomization range values represent
a compromise between increased ASLR effectiveness and avoiding
address-space fragmentation.
Using the Kconfig option and suitable /proc tunable, platform
developers may choose where to place this compromise.
Also this patch keeps the default values as new minimums.
Signed-off-by: Bhupesh Sharma <bhsharma@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
* Changes since v2:
v2 can be seen here (https://patchwork.kernel.org/patch/9551509/)
- Changed a few minimum and maximum randomization ranges as per Michael's suggestion.
- Corrected Kees's email address in the Reviewed-by line.
- Added further comments in kconfig to explain how the address ranges were worked out.
* Changes since v1:
v1 can be seen here (https://lists.ozlabs.org/pipermail/linuxppc-dev/2017-February/153594.html)
- No functional change in this patch.
- Dropped PATCH 2/2 from v1 as recommended by Kees Cook.
arch/powerpc/Kconfig | 44 ++++++++++++++++++++++++++++++++++++++++++++
arch/powerpc/mm/mmap.c | 7 ++++---
2 files changed, 48 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 97a8bc8..84aae67 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -22,6 +22,48 @@ config MMU
bool
default y
+# min bits determined by the following formula:
+# VA_BITS - PAGE_SHIFT - CONSTANT
+# where,
+# VA_BITS = 46 bits for 64BIT and 4GB - 1 Page = 31 bits for 32BIT
+# CONSTANT = 16 for 64BIT and 8 for 32BIT
+config ARCH_MMAP_RND_BITS_MIN
+ default 5 if PPC_256K_PAGES && 32BIT # 31 - 18 - 8 = 5
+ default 7 if PPC_64K_PAGES && 32BIT # 31 - 16 - 8 = 7
+ default 9 if PPC_16K_PAGES && 32BIT # 31 - 14 - 8 = 9
+ default 11 if PPC_4K_PAGES && 32BIT # 31 - 12 - 8 = 11
+ default 12 if PPC_256K_PAGES && 64BIT # 46 - 18 - 16 = 12
+ default 14 if PPC_64K_PAGES && 64BIT # 46 - 16 - 16 = 14
+ default 16 if PPC_16K_PAGES && 64BIT # 46 - 14 - 16 = 16
+ default 18 if PPC_4K_PAGES && 64BIT # 46 - 12 - 16 = 18
+
+# max bits determined by the following formula:
+# VA_BITS - PAGE_SHIFT - CONSTANT
+# where,
+# VA_BITS = 46 bits for 64BIT, and 4GB - 1 Page = 31 bits for 32BIT
+# CONSTANT = 2, both for 64BIT and 32BIT
+config ARCH_MMAP_RND_BITS_MAX
+ default 11 if PPC_256K_PAGES && 32BIT # 31 - 18 - 2 = 11
+ default 13 if PPC_64K_PAGES && 32BIT # 31 - 16 - 2 = 13
+ default 15 if PPC_16K_PAGES && 32BIT # 31 - 14 - 2 = 15
+ default 17 if PPC_4K_PAGES && 32BIT # 31 - 12 - 2 = 17
+ default 26 if PPC_256K_PAGES && 64BIT # 46 - 18 - 2 = 26
+ default 28 if PPC_64K_PAGES && 64BIT # 46 - 16 - 2 = 28
+ default 30 if PPC_16K_PAGES && 64BIT # 46 - 14 - 2 = 30
+ default 32 if PPC_4K_PAGES && 64BIT # 46 - 12 - 2 = 32
+
+config ARCH_MMAP_RND_COMPAT_BITS_MIN
+ default 5 if PPC_256K_PAGES
+ default 7 if PPC_64K_PAGES
+ default 9 if PPC_16K_PAGES
+ default 11
+
+config ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default 11 if PPC_256K_PAGES
+ default 13 if PPC_64K_PAGES
+ default 15 if PPC_16K_PAGES
+ default 17
+
config HAVE_SETUP_PER_CPU_AREA
def_bool PPC64
@@ -142,6 +184,8 @@ config PPC
select HAVE_IRQ_EXIT_ON_IRQ_STACK
select HAVE_KERNEL_GZIP
select HAVE_KPROBES
+ select HAVE_ARCH_MMAP_RND_BITS
+ select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
select HAVE_KRETPROBES
select HAVE_LIVEPATCH if HAVE_DYNAMIC_FTRACE_WITH_REGS
select HAVE_MEMBLOCK
diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
index a5d9ef5..92a9355 100644
--- a/arch/powerpc/mm/mmap.c
+++ b/arch/powerpc/mm/mmap.c
@@ -61,11 +61,12 @@ unsigned long arch_mmap_rnd(void)
{
unsigned long rnd;
- /* 8MB for 32bit, 1GB for 64bit */
+#ifdef CONFIG_COMPAT
if (is_32bit_task())
- rnd = get_random_long() % (1<<(23-PAGE_SHIFT));
+ rnd = get_random_long() & ((1UL << mmap_rnd_compat_bits) - 1);
else
- rnd = get_random_long() % (1UL<<(30-PAGE_SHIFT));
+#endif
+ rnd = get_random_long() & ((1UL << mmap_rnd_bits) - 1);
return rnd << PAGE_SHIFT;
}
--
2.7.4
next reply other threads:[~2017-03-28 19:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-28 19:45 Bhupesh Sharma [this message]
2017-03-28 19:45 ` [kernel-hardening] [PATCH v3] powerpc: mm: support ARCH_MMAP_RND_BITS Bhupesh Sharma
2017-04-10 17:20 ` Bhupesh Sharma
2017-04-10 17:20 ` [kernel-hardening] " Bhupesh Sharma
2017-04-13 6:36 ` Aneesh Kumar K.V
2017-04-13 6:36 ` [kernel-hardening] " Aneesh Kumar K.V
2017-04-13 6:52 ` Bhupesh Sharma
2017-04-13 6:52 ` [kernel-hardening] " Bhupesh Sharma
2017-04-13 6:58 ` Aneesh Kumar K.V
2017-04-13 6:58 ` [kernel-hardening] " Aneesh Kumar K.V
2017-04-13 7:09 ` Balbir Singh
2017-04-13 7:09 ` [kernel-hardening] " Balbir Singh
2017-04-13 7:09 ` Balbir Singh
2017-04-17 4:48 ` Bhupesh SHARMA
2017-04-17 4:48 ` [kernel-hardening] " Bhupesh SHARMA
2017-04-17 4:48 ` Bhupesh SHARMA
2017-04-13 7:46 ` Bhupesh Sharma
2017-04-13 7:46 ` [kernel-hardening] " Bhupesh Sharma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490730347-5165-1-git-send-email-bhsharma@redhat.com \
--to=bhsharma@redhat.com \
--cc=agraf@suse.com \
--cc=agust@denx.de \
--cc=alistair@popple.id.au \
--cc=benh@kernel.crashing.org \
--cc=bhupesh.linux@gmail.com \
--cc=dcashman@android.com \
--cc=dcashman@google.com \
--cc=galak@kernel.crashing.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=mporter@kernel.crashing.org \
--cc=oss@buserror.net \
--cc=paulus@samba.org \
--cc=vitb@kernel.crashing.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.