• Daniel Cashman's avatar
    mm: mmap: add new /proc tunable for mmap_base ASLR · d07e2259
    Daniel Cashman authored
    Address Space Layout Randomization (ASLR) provides a barrier to
    exploitation of user-space processes in the presence of security
    vulnerabilities by making it more difficult to find desired code/data
    which could help an attack.  This is done by adding a random offset to
    the location of regions in the process address space, with a greater
    range of potential offset values corresponding to better protection/a
    larger search-space for brute force, but also to greater potential for
    fragmentation.
    
    The offset added to the mmap_base address, which provides the basis for
    the majority of the mappings for a process, is set once on process exec
    in arch_pick_mmap_layout() and is done via hard-coded per-arch values,
    which reflect, hopefully, the best compromise for all systems.  The
    trade-off between increased entropy in the offset value generation and
    the corresponding increased variability in address space fragmentation
    is not absolute, however, and some platforms may tolerate higher amounts
    of entropy.  This patch introduces both new Kconfig values and a sysctl
    interface which may be used to change the amount of entropy used for
    offset generation on a system.
    
    The direct motivation for this change was in response to the
    libstagefright vulnerabilities that affected Android, specifically to
    information provided by Google's project zero at:
    
      http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html
    
    The attack presented therein, by Google's project zero, specifically
    targeted the limited randomness used to generate the offset added to the
    mmap_base address in order to craft a brute-force-based attack.
    Concretely, the attack was against the mediaserver process, which was
    limited to respawning every 5 seconds, on an arm device.  The hard-coded
    8 bits used resulted in an average expected success rate of defeating
    the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a
    piece).  With this patch, and an accompanying increase in the entropy
    value to 16 bits, the same attack would take an average expected time of
    over 45 hours (32768 tries), which makes it both less feasible and more
    likely to be noticed.
    
    The introduced Kconfig and sysctl options are limited by per-arch
    minimum and maximum values, the minimum of which was chosen to match the
    current hard-coded value and the maximum of which was chosen so as to
    give the greatest flexibility without generating an invalid mmap_base
    address, generally a 3-4 bits less than the number of bits in the
    user-space accessible virtual address space.
    
    When decided whether or not to change the default value, a system
    developer should consider that mmap_base address could be placed
    anywhere up to 2^(value) bits away from the non-randomized location,
    which would introduce variable-sized areas above and below the mmap_base
    address such that the maximum vm_area_struct size may be reduced,
    preventing very large allocations.
    
    This patch (of 4):
    
    ASLR only uses as few as 8 bits to generate the random offset for the
    mmap base address on 32 bit architectures.  This value was chosen to
    prevent a poorly chosen value from dividing the address space in such a
    way as to prevent large allocations.  This may not be an issue on all
    platforms.  Allow the specification of a minimum number of bits so that
    platforms desiring greater ASLR protection may determine where to place
    the trade-off.
    Signed-off-by: default avatarDaniel Cashman <dcashman@google.com>
    Cc: Russell King <linux@arm.linux.org.uk>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Don Zickus <dzickus@redhat.com>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Mark Salyzyn <salyzyn@android.com>
    Cc: Jeff Vander Stoep <jeffv@google.com>
    Cc: Nick Kralevich <nnk@google.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Hector Marco-Gisbert <hecmargi@upv.es>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
    Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    d07e2259
Kconfig 18.7 KB