Re: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Nov 24, 2015 at 4:40 PM, Andrew Morton
<akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 18 Nov 2015 15:20:05 -0800 Daniel Cashman <dcashman@xxxxxxxxxxx> wrote:
>
>> --- a/kernel/sysctl.c
>> +++ b/kernel/sysctl.c
>> @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
>>               .mode           = 0644,
>>               .proc_handler   = proc_doulongvec_minmax,
>>       },
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> +     {
>> +             .procname       = "mmap_rnd_bits",
>> +             .data           = &mmap_rnd_bits,
>> +             .maxlen         = sizeof(mmap_rnd_bits),
>> +             .mode           = 0644,
>
> Is there any harm in permitting the attacker to read these values?
>
> And is there any benefit in permitting non-attackers to read them?

I'm on the fence. Things like kernel/randomize_va_space is 644. But
since I don't see a benefit in exposing them, let's make them all 600
instead -- it's a new interface, better to keep it narrower now.

>
>> +             .proc_handler   = proc_dointvec_minmax,
>> +             .extra1         = &mmap_rnd_bits_min,
>> +             .extra2         = &mmap_rnd_bits_max,
>> +     },
>> +#endif
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
>> +     {
>> +             .procname       = "mmap_rnd_compat_bits",
>> +             .data           = &mmap_rnd_compat_bits,
>> +             .maxlen         = sizeof(mmap_rnd_compat_bits),
>> +             .mode           = 0644,
>> +             .proc_handler   = proc_dointvec_minmax,
>> +             .extra1         = &mmap_rnd_compat_bits_min,
>> +             .extra2         = &mmap_rnd_compat_bits_max,
>> +     },
>> +#endif
>>
>> ...
>>
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>> +int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
>> +int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
>> +int mmap_rnd_bits = CONFIG_ARCH_MMAP_RND_BITS;
>> +#endif
>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
>> +int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
>> +int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
>> +int mmap_rnd_compat_bits = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
>
> These could be __read_mostly.
>
> If one believes in such things.  One effect of __read_mostly is to
> clump the write-often stuff into the same cachelines and I've never
> been convinced that one outweighs the other...

The _min and _max values should be const, actually, since they're
build-time selected. The _bits could easily be __read_mostly, yeah.

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]