public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: dcashman@android•com (Daniel Cashman)
To: linux-arm-kernel@lists•infradead.org
Subject: [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR.
Date: Wed, 25 Nov 2015 11:16:46 -0800	[thread overview]
Message-ID: <5656091E.6080803@android.com> (raw)
In-Reply-To: <CAGXu5jKaW=H1WWuW_M4LpfcGGUWE3yvsiMnzMiAbeta__YpSJg@mail.gmail.com>

On 11/24/2015 04:47 PM, Kees Cook wrote:
> On Tue, Nov 24, 2015 at 4:40 PM, Andrew Morton
> <akpm@linux-foundation•org> wrote:
>> On Wed, 18 Nov 2015 15:20:05 -0800 Daniel Cashman <dcashman@android•com> wrote:
>>
>>> --- a/kernel/sysctl.c
>>> +++ b/kernel/sysctl.c
>>> @@ -1568,6 +1568,28 @@ static struct ctl_table vm_table[] = {
>>>               .mode           = 0644,
>>>               .proc_handler   = proc_doulongvec_minmax,
>>>       },
>>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>>> +     {
>>> +             .procname       = "mmap_rnd_bits",
>>> +             .data           = &mmap_rnd_bits,
>>> +             .maxlen         = sizeof(mmap_rnd_bits),
>>> +             .mode           = 0644,
>>
>> Is there any harm in permitting the attacker to read these values?
>>
>> And is there any benefit in permitting non-attackers to read them?
> 
> I'm on the fence. Things like kernel/randomize_va_space is 644. But
> since I don't see a benefit in exposing them, let's make them all 600
> instead -- it's a new interface, better to keep it narrower now.

Is there any harm in allowing the attacker to read these values? Nothing
immediately comes to mind.  It is a form of information leakage, and I
guess a local attacker could use this information to calibrate an attack
or decide whether or not brute-forcing is a worthy approach, but this
easily could be leaked in other ways as well.

Is there a benefit to allowing non-attackers to read them?  Possibly
could be used in tests seeking to verify the system environment, but
again, this could be discovered in other ways.

I like Kees' suggestion of starting narrow and granting if need arises.

>>>
>>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
>>> +int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
>>> +int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
>>> +int mmap_rnd_bits = CONFIG_ARCH_MMAP_RND_BITS;
>>> +#endif
>>> +#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
>>> +int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
>>> +int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
>>> +int mmap_rnd_compat_bits = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
>>
>> These could be __read_mostly.
>>
>> If one believes in such things.  One effect of __read_mostly is to
>> clump the write-often stuff into the same cachelines and I've never
>> been convinced that one outweighs the other...
> 
> The _min and _max values should be const, actually, since they're
> build-time selected. The _bits could easily be __read_mostly, yeah.

Yes, one would generally expect these to never be touched, and even if
they were, the threshold of __read_mostly would certainly be crossed.

-Dan

next prev parent reply	other threads:[~2015-11-25 19:16 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-18 23:20 [PATCH v3 0/4] Allow customizable random offset to mmap_base address Daniel Cashman
2015-11-18 23:20 ` [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR Daniel Cashman
2015-11-18 23:20   ` [PATCH v3 2/4] arm: mm: support ARCH_MMAP_RND_BITS Daniel Cashman
2015-11-18 23:20     ` [PATCH v3 3/4] arm64: " Daniel Cashman
2015-11-18 23:20       ` [PATCH v3 4/4] x86: " Daniel Cashman
2015-11-19  0:16         ` Daniel Cashman
2015-11-23 15:04       ` [PATCH v3 3/4] arm64: " Will Deacon
2015-11-23 18:55         ` Daniel Cashman
2015-11-25  4:26           ` Michael Ellerman
2015-11-25 19:32             ` Daniel Cashman
2015-11-25 12:06           ` Catalin Marinas
2015-11-25 20:39             ` Daniel Cashman
2015-11-27  8:36               ` Andrey Ryabinin
2015-11-27  9:32                 ` Catalin Marinas
2015-11-19  0:14   ` [PATCH v3 1/4] mm: mmap: Add new /proc tunable for mmap_base ASLR Daniel Cashman
2015-11-25  0:40   ` Andrew Morton
2015-11-25  0:47     ` Kees Cook
2015-11-25 19:16       ` Daniel Cashman [this message]
2015-11-25  4:40   ` Michael Ellerman
2015-11-25 19:36     ` Daniel Cashman
2015-11-25  0:39 ` [PATCH v3 0/4] Allow customizable random offset to mmap_base address Andrew Morton
2015-11-25 19:07   ` Daniel Cashman
2015-11-26 15:11     ` Martin Schwidefsky
2015-11-26  7:07   ` Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5656091E.6080803@android.com \
    --to=dcashman@android$(echo .)com \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox