Re: [PATCH v9] mm: Optional full ASLR for mmap(), mremap(), vdso, stack and heap

From: Topi Miettinen
Date: Wed Jan 13 2021 - 06:25:07 EST

Next message: Ulf Hansson: "Re: [PATCH] mmc: mediatek: fix race condition between msdc_request_timeout and irq"
Previous message: Mike Rapoport: "Re: [PATCH v3 1/2] x86/setup: don't remove E820_TYPE_RAM for pfn 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4.1.2021 17.53, Topi Miettinen wrote:

Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
enables full randomization of memory mappings. With 2, the base of the
VMA used for such mappings is random, but the mappings are created in
predictable places within the VMA and in sequential order. With 3, new
VMAs are created to fully randomize the mappings.

Mappings created with mmap(NULL, ...) are randomized and mremap(...,
MREMAP_MAYMOVE) will move the mappings even if not necessary. The
locations of heap (memory allocated with brk()), stack and vdso are
also randomized.

It seems that always moving the mappings in mremap() can expose bugs where the callers don't actually expect the mappings to move, even though MREMAP_MAYMOVE is specified (Debian libapt-pkg6.0):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980037

Perhaps this part should be a separate option to avoid tripping such bugs when compatibility is more important than improved ASLR and debugging. The option could be also used without randomize_va_space==3. How about something like sysctl.kernel.mremap_always_move, sysctl.vm.mremap_always_move or CONFIG_MREMAP_ALWAYS_MOVE?

-Topi

Next message: Ulf Hansson: "Re: [PATCH] mmc: mediatek: fix race condition between msdc_request_timeout and irq"
Previous message: Mike Rapoport: "Re: [PATCH v3 1/2] x86/setup: don't remove E820_TYPE_RAM for pfn 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]