From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
"Russell King" <linux@arm.linux.org.uk>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Will Deacon" <will.deacon@arm.com>,
"Ralf Baechle" <ralf@linux-mips.org>,
"Benjamin Herrenschmidt" <benh@kernel.crashing.org>,
"Paul Mackerras" <paulus@samba.org>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"Heiko Carstens" <heiko.carstens@de.ibm.com>,
linux390@de.ibm.com, x86@kernel.org,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Oleg Nesterov" <oleg@redhat.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"David A. Long" <dave.long@linaro.org>,
"Andrey Ryabinin" <a.ryabinin@samsung.com>,
"Arun Chandran" <achandran@mvista.com>,
"Yann Droneaud" <ydroneaud@opteya.com>,
"Min-Hua Chen" <orca.chen@gmail.com>,
"Paul Burton" <paul.burton@imgtec.com>,
"Alex Smith" <alex@alex-smith.me.uk>,
"Markos Chandras" <markos.chandras@imgtec.com>,
"Jeff Bailey" <jeffbailey@google.com>,
"Vineeth Vijayan" <vvijayan@mvista.com>,
"Michael Holzheu" <holzheu@linux.vnet.ibm.com>,
"Ben Hutchings" <ben@decadent.org.uk>,
"Hector Marco-Gisbert" <hecmargi@upv.es>,
"Borislav Petkov" <bp@suse.de>, "Jan-Simon Möller" <dl9pf@gmx.de>,
linux-arm-kernel@lists.infradead.org, linux-mips@linux-mips.org,
linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Borislav Petkov" <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
"Thomas Gleixner" <tglx@linutronix.de>
Subject: Re: [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR
Date: Tue, 3 Mar 2015 08:31:32 +0100 [thread overview]
Message-ID: <20150303073132.GA30602@gmail.com> (raw)
In-Reply-To: <1425341988-1599-1-git-send-email-keescook@chromium.org>
* Kees Cook <keescook@chromium.org> wrote:
> To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
> ASLR from mmap ASLR, as already done on s390. The architectures
> that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
> and x86), have their various forms of arch_mmap_rnd() made available
> via the new CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these architectures,
> arch_randomize_brk() is collapsed as well.
>
> This is an alternative to the solutions in:
> https://lkml.org/lkml/2015/2/23/442
Looks good so far:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
While reviewing this series I also noticed that the following code
could be factored out from architecture mmap code as well:
- arch_pick_mmap_layout() uses very similar patterns across the
platforms, with only few variations. Many architectures use
the same duplicated mmap_is_legacy() helper as well. There's
usually just trivial differences between mmap_legacy_base()
approaches as well.
- arch_mmap_rnd(): the PF_RANDOMIZE checks are needlessly
exposed to the arch routine - the arch routine should only
concentrate on arch details, not generic flags like
PF_RANDOMIZE.
In theory the mmap layout could be fully parametrized as well: i.e. no
callback functions to architectures by default at all: just
declarations of bits of randomization desired (or, available address
space bits), and perhaps an arch helper to allow 32-bit vs. 64-bit
address space distinctions.
'Weird' architectures could provide special routines, but only by
overriding the default behavior, which should be generic, safe and
robust.
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-mips@linux-mips.org, "Arun Chandran" <achandran@mvista.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Heiko Carstens" <heiko.carstens@de.ibm.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Min-Hua Chen" <orca.chen@gmail.com>,
"Paul Mackerras" <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>,
"Yann Droneaud" <ydroneaud@opteya.com>,
linux-s390@vger.kernel.org,
"Russell King" <linux@arm.linux.org.uk>,
"Andrey Ryabinin" <a.ryabinin@samsung.com>,
x86@kernel.org, "Hector Marco-Gisbert" <hecmargi@upv.es>,
"David A. Long" <dave.long@linaro.org>,
"Borislav Petkov" <bp@suse.de>,
"Ben Hutchings" <ben@decadent.org.uk>,
"Will Deacon" <will.deacon@arm.com>,
linux-fsdevel@vger.kernel.org, "Borislav Petkov" <bp@alien8.de>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Michael Holzheu" <holzheu@linux.vnet.ibm.com>,
linux-arm-kernel@lists.infradead.org,
"Jeff Bailey" <jeffbailey@google.com>,
"Paul Burton" <paul.burton@imgtec.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org,
"Ralf Baechle" <ralf@linux-mips.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Vineeth Vijayan" <vvijayan@mvista.com>,
"Markos Chandras" <markos.chandras@imgtec.com>,
"Jan-Simon Möller" <dl9pf@gmx.de>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
linux390@de.ibm.com, akpm@linux-foundation.org,
linuxppc-dev@lists.ozlabs.org,
"Alex Smith" <alex@alex-smith.me.uk>
Subject: Re: [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR
Date: Tue, 3 Mar 2015 08:31:32 +0100 [thread overview]
Message-ID: <20150303073132.GA30602@gmail.com> (raw)
In-Reply-To: <1425341988-1599-1-git-send-email-keescook@chromium.org>
* Kees Cook <keescook@chromium.org> wrote:
> To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
> ASLR from mmap ASLR, as already done on s390. The architectures
> that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
> and x86), have their various forms of arch_mmap_rnd() made available
> via the new CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these architectures,
> arch_randomize_brk() is collapsed as well.
>
> This is an alternative to the solutions in:
> https://lkml.org/lkml/2015/2/23/442
Looks good so far:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
While reviewing this series I also noticed that the following code
could be factored out from architecture mmap code as well:
- arch_pick_mmap_layout() uses very similar patterns across the
platforms, with only few variations. Many architectures use
the same duplicated mmap_is_legacy() helper as well. There's
usually just trivial differences between mmap_legacy_base()
approaches as well.
- arch_mmap_rnd(): the PF_RANDOMIZE checks are needlessly
exposed to the arch routine - the arch routine should only
concentrate on arch details, not generic flags like
PF_RANDOMIZE.
In theory the mmap layout could be fully parametrized as well: i.e. no
callback functions to architectures by default at all: just
declarations of bits of randomization desired (or, available address
space bits), and perhaps an arch helper to allow 32-bit vs. 64-bit
address space distinctions.
'Weird' architectures could provide special routines, but only by
overriding the default behavior, which should be generic, safe and
robust.
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: mingo@kernel.org (Ingo Molnar)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR
Date: Tue, 3 Mar 2015 08:31:32 +0100 [thread overview]
Message-ID: <20150303073132.GA30602@gmail.com> (raw)
In-Reply-To: <1425341988-1599-1-git-send-email-keescook@chromium.org>
* Kees Cook <keescook@chromium.org> wrote:
> To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
> ASLR from mmap ASLR, as already done on s390. The architectures
> that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
> and x86), have their various forms of arch_mmap_rnd() made available
> via the new CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these architectures,
> arch_randomize_brk() is collapsed as well.
>
> This is an alternative to the solutions in:
> https://lkml.org/lkml/2015/2/23/442
Looks good so far:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
While reviewing this series I also noticed that the following code
could be factored out from architecture mmap code as well:
- arch_pick_mmap_layout() uses very similar patterns across the
platforms, with only few variations. Many architectures use
the same duplicated mmap_is_legacy() helper as well. There's
usually just trivial differences between mmap_legacy_base()
approaches as well.
- arch_mmap_rnd(): the PF_RANDOMIZE checks are needlessly
exposed to the arch routine - the arch routine should only
concentrate on arch details, not generic flags like
PF_RANDOMIZE.
In theory the mmap layout could be fully parametrized as well: i.e. no
callback functions to architectures by default at all: just
declarations of bits of randomization desired (or, available address
space bits), and perhaps an arch helper to allow 32-bit vs. 64-bit
address space distinctions.
'Weird' architectures could provide special routines, but only by
overriding the default behavior, which should be generic, safe and
robust.
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
Russell King <linux@arm.linux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ralf Baechle <ralf@linux-mips.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
linux390@de.ibm.com, x86@kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Oleg Nesterov <oleg@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
"David A. Long" <dave.long@linaro.org>,
Andrey Ryabinin <a.ryabinin@samsung.com>,
Arun Chandran <achandran@mvista.com>,
Yann Droneaud <ydroneaud@opteya.com>,
Min-Hua Chen <orca.chen@gmail.com>,
Paul Burton <paul.burton@imgtec.com>,
Alex Smith <alex@alex-smith.me.uk>,
Markos Chandras <markos.chandras
Subject: Re: [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR
Date: Tue, 3 Mar 2015 08:31:32 +0100 [thread overview]
Message-ID: <20150303073132.GA30602@gmail.com> (raw)
In-Reply-To: <1425341988-1599-1-git-send-email-keescook@chromium.org>
* Kees Cook <keescook@chromium.org> wrote:
> To address the "offset2lib" ASLR weakness[1], this separates ET_DYN
> ASLR from mmap ASLR, as already done on s390. The architectures
> that are already randomizing mmap (arm, arm64, mips, powerpc, s390,
> and x86), have their various forms of arch_mmap_rnd() made available
> via the new CONFIG_ARCH_HAS_ELF_RANDOMIZE. For these architectures,
> arch_randomize_brk() is collapsed as well.
>
> This is an alternative to the solutions in:
> https://lkml.org/lkml/2015/2/23/442
Looks good so far:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
While reviewing this series I also noticed that the following code
could be factored out from architecture mmap code as well:
- arch_pick_mmap_layout() uses very similar patterns across the
platforms, with only few variations. Many architectures use
the same duplicated mmap_is_legacy() helper as well. There's
usually just trivial differences between mmap_legacy_base()
approaches as well.
- arch_mmap_rnd(): the PF_RANDOMIZE checks are needlessly
exposed to the arch routine - the arch routine should only
concentrate on arch details, not generic flags like
PF_RANDOMIZE.
In theory the mmap layout could be fully parametrized as well: i.e. no
callback functions to architectures by default at all: just
declarations of bits of randomization desired (or, available address
space bits), and perhaps an arch helper to allow 32-bit vs. 64-bit
address space distinctions.
'Weird' architectures could provide special routines, but only by
overriding the default behavior, which should be generic, safe and
robust.
Thanks,
Ingo
next prev parent reply other threads:[~2015-03-03 7:31 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-03 0:19 [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` [PATCH 1/5] arm: factor out mmap ASLR into mmap_rnd Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-09 14:48 ` Russell King - ARM Linux
2015-03-09 14:48 ` Russell King - ARM Linux
2015-03-09 14:48 ` Russell King - ARM Linux
2015-03-09 14:48 ` Russell King - ARM Linux
2015-03-03 0:19 ` [PATCH 2/5] mm: expose arch_mmap_rnd when available Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-09 14:49 ` Russell King - ARM Linux
2015-03-09 14:49 ` Russell King - ARM Linux
2015-03-09 14:49 ` Russell King - ARM Linux
2015-03-09 14:49 ` Russell King - ARM Linux
2015-03-03 0:19 ` [PATCH 3/5] mm: move randomize_et_dyn into ELF_ET_DYN_BASE Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` [PATCH 4/5] mm: split ET_DYN ASLR from mmap ASLR Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-04 4:16 ` Michael Ellerman
2015-03-04 4:16 ` Michael Ellerman
2015-03-04 4:16 ` Michael Ellerman
2015-03-04 4:16 ` Michael Ellerman
2015-03-04 21:13 ` Kees Cook
2015-03-04 21:13 ` Kees Cook
2015-03-04 21:13 ` Kees Cook
2015-03-04 21:13 ` Kees Cook
2015-03-04 23:56 ` Michael Ellerman
2015-03-04 23:56 ` Michael Ellerman
2015-03-04 23:56 ` Michael Ellerman
2015-03-04 23:56 ` Michael Ellerman
2015-03-09 15:13 ` Russell King - ARM Linux
2015-03-09 15:13 ` Russell King - ARM Linux
2015-03-09 15:13 ` Russell King - ARM Linux
2015-03-09 15:13 ` Russell King - ARM Linux
2015-03-03 0:19 ` [PATCH 5/5] mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-03 0:19 ` Kees Cook
2015-03-09 14:51 ` Russell King - ARM Linux
2015-03-09 14:51 ` Russell King - ARM Linux
2015-03-09 14:51 ` Russell King - ARM Linux
2015-03-09 14:51 ` Russell King - ARM Linux
2015-03-03 7:31 ` Ingo Molnar [this message]
2015-03-03 7:31 ` [PATCH v2 0/5] split ET_DYN ASLR from mmap ASLR Ingo Molnar
2015-03-03 7:31 ` Ingo Molnar
2015-03-03 7:31 ` Ingo Molnar
2015-03-03 18:03 ` Kees Cook
2015-03-03 18:03 ` Kees Cook
2015-03-03 18:03 ` Kees Cook
2015-03-03 18:03 ` Kees Cook
2015-03-04 4:20 ` Ingo Molnar
2015-03-04 4:20 ` Ingo Molnar
2015-03-04 4:20 ` Ingo Molnar
2015-03-04 4:20 ` Ingo Molnar
2015-03-09 15:15 ` Russell King - ARM Linux
2015-03-09 15:15 ` Russell King - ARM Linux
2015-03-09 15:15 ` Russell King - ARM Linux
2015-03-09 15:15 ` Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150303073132.GA30602@gmail.com \
--to=mingo@kernel.org \
--cc=a.ryabinin@samsung.com \
--cc=achandran@mvista.com \
--cc=akpm@linux-foundation.org \
--cc=alex@alex-smith.me.uk \
--cc=ben@decadent.org.uk \
--cc=benh@kernel.crashing.org \
--cc=bp@alien8.de \
--cc=bp@suse.de \
--cc=catalin.marinas@arm.com \
--cc=dave.long@linaro.org \
--cc=dl9pf@gmx.de \
--cc=hecmargi@upv.es \
--cc=heiko.carstens@de.ibm.com \
--cc=holzheu@linux.vnet.ibm.com \
--cc=hpa@zytor.com \
--cc=jeffbailey@google.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux390@de.ibm.com \
--cc=linux@arm.linux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@amacapital.net \
--cc=markos.chandras@imgtec.com \
--cc=mpe@ellerman.id.au \
--cc=oleg@redhat.com \
--cc=orca.chen@gmail.com \
--cc=paul.burton@imgtec.com \
--cc=paulus@samba.org \
--cc=ralf@linux-mips.org \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=vvijayan@mvista.com \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
--cc=ydroneaud@opteya.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.