From: Ingo Molnar <mingo@kernel.org>
To: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, kees Cook <keescook@chromium.org>,
Ismael Ripoll Ripoll <iripoll@upv.es>
Subject: Re: [PATCH] x86: Enable full randomization on i386 and X86_32.
Date: Fri, 11 Mar 2016 09:51:08 +0100 [thread overview]
Message-ID: <20160311085108.GA29750@gmail.com> (raw)
In-Reply-To: <1457639460-5242-1-git-send-email-hecmargi@upv.es>
* Hector Marco-Gisbert <hecmargi@upv.es> wrote:
> Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
> the stack and the executable are randomized but not other mmapped files
> (libraries, vDSO, etc.). This patch enables randomization for the
> libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
>
> By default on i386 there are 8 bits for the randomization of the libraries,
> vDSO and mmaps which only uses 1MB of VA.
>
> This patch preserves the original randomness, using 1MB of VA out of 3GB or
> 4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
>
> The first obvious security benefit is that all objects are randomized (not
> only the stack and the executable) in legacy mode which highly increases
> the ASLR effectiveness, otherwise the attackers may use these
> non-randomized areas. But also sensitive setuid/setgid applications are
> more secure because currently, attackers can disable the randomization of
> these applications by setting the ulimit stack to "unlimited". This is a
> very old and widely known trick to disable the ASLR in i386 which has been
> allowed for too long.
>
> Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
> personality flag, but fortunately this doesn't work on setuid/setgid
> applications because there is security checks which clear Security-relevant
> flags.
>
> This patch always randomizes the mmap_legacy_base address, removing the
> possibility to disable the ASLR by setting the stack to "unlimited".
>
>
> Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
> Signed-off-by: Ismael Ripoll Ripoll <iripoll@upv.es>
This signoff line is not valid (primary author is first SOB line, patch submitted
is last SOB line), I've changed the second Signed-off-by to an Acked-by.
Thanks,
Ingo
next prev parent reply other threads:[~2016-03-11 8:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-10 19:51 [PATCH] x86: Enable full randomization on i386 and X86_32 Hector Marco-Gisbert
2016-03-10 20:23 ` Kees Cook
2016-03-10 20:53 ` Arjan van de Ven
2016-03-10 21:05 ` Kees Cook
2016-03-11 8:53 ` Ingo Molnar
2016-03-11 16:19 ` Kees Cook
2016-03-11 8:51 ` Ingo Molnar [this message]
2016-03-12 15:15 ` [tip:x86/mm] x86/mm/32: " tip-bot for Hector Marco-Gisbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160311085108.GA29750@gmail.com \
--to=mingo@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=hecmargi@upv.es \
--cc=hpa@zytor.com \
--cc=iripoll@upv.es \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.