From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Thomas Garnier <thgarnie@google.com>,
Pintu Agarwal <pintu.ping@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Marc Zyngier <marc.zyngier@arm.com>,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
open list <linux-kernel@vger.kernel.org>,
Tony Lindgren <tony@atomide.com>,
nico@linaro.org, Dave Martin <dave.martin@arm.com>,
matt@codeblueprint.co.uk,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14
Date: Fri, 25 Sep 2020 13:47:22 -0700 [thread overview]
Message-ID: <202009251338.D17FB071@keescook> (raw)
In-Reply-To: <CAMj1kXGtv84JHQfKoqOYyq=3m2w0Yuj_n4_Teo83zvdZ9kpZhw@mail.gmail.com>
On Fri, Sep 25, 2020 at 10:37:01PM +0200, Ard Biesheuvel wrote:
> On Fri, 25 Sep 2020 at 22:28, Kees Cook <keescook@chromium.org> wrote:
> >
> > On Fri, Sep 25, 2020 at 08:33:59PM +0530, Pintu Agarwal wrote:
> > > This is regarding the KASLR feature support on ARM for the kernel
> > > version 4.9 and 4.14.
> > >
> > > Is KASLR supported on ARM-32 Linux 4.9 and above ?
> >
> > Sorry, this feature did not yet land in upstream:
> > https://github.com/KSPP/linux/issues/3
> >
> > Here was the earlier effort:
> > https://lore.kernel.org/kernel-hardening/20170814125411.22604-1-ard.biesheuvel@linaro.org/
> >
> > > Is it dependent on CONFIG_RANDOMIZE_BASE or
> >
> > CONFIG_RANDOMIZE_BASE is what is used on other architectures to control
> > the feature.
> >
> > > /proc/sys/kernel/randomize_va_space ?
> > > Is there any relation between these two?
> >
> > No, the latter is about userspace addresses.
> >
> > > Is the changing kernel symbols (in every boot), only possible if KASLR
> > > is enabled, or there is another way it can happen?
> >
> > I think you meant kernel symbol addresses (not the symbols themselves).
> > But yes, I wouldn't expect the addresses to move if you didn't either
> > rebuild the kernel or had something else moving the kernel at boot (i.e.
> > the boot loader).
> >
> > > I have these queries because,
> > > In one of the arm-32 devices with Kernel 4.14, I observed that
> > > CONFIG_RANDOMIZE_BASE is not available.
> > > But /proc/sys/kernel/randomize_va_space is set to 2.
> > > However, I also observed that symbol addresses are changing in every boot.
> > >
> > > 1st boot cycle:
> > > [root ~]# cat /proc/kallsyms | grep "sys_open"
> > > a5b4de92 T sys_open
> > > [root@sa515m ~]#
> > >
> > > 2nd boot cycle:
> > > [root ~]# cat /proc/kallsyms | grep "sys_open"
> > > f546ed66 T sys_open
> > >
> > > So, I am wondering how this is possible without KASLR
> > > (CONFIG_RANDOMIZE_BASE) support in Kernel ?
>
> Those addresses were obfuscated by kptr_restrict
Is that true? kptr_restrict zeros (rather than hashing) the kallsyms
view. And besides, the %p hashing was added in v4.15 (but also doesn't
touch kallsyms, which does all-or-nothing to avoid breaking stuff
like perf).
--
Kees Cook
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Thomas Garnier <thgarnie@google.com>,
Pintu Agarwal <pintu.ping@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Marc Zyngier <marc.zyngier@arm.com>,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
open list <linux-kernel@vger.kernel.org>,
Tony Lindgren <tony@atomide.com>,
nico@linaro.org, Dave Martin <dave.martin@arm.com>,
matt@codeblueprint.co.uk,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14
Date: Fri, 25 Sep 2020 13:47:22 -0700 [thread overview]
Message-ID: <202009251338.D17FB071@keescook> (raw)
In-Reply-To: <CAMj1kXGtv84JHQfKoqOYyq=3m2w0Yuj_n4_Teo83zvdZ9kpZhw@mail.gmail.com>
On Fri, Sep 25, 2020 at 10:37:01PM +0200, Ard Biesheuvel wrote:
> On Fri, 25 Sep 2020 at 22:28, Kees Cook <keescook@chromium.org> wrote:
> >
> > On Fri, Sep 25, 2020 at 08:33:59PM +0530, Pintu Agarwal wrote:
> > > This is regarding the KASLR feature support on ARM for the kernel
> > > version 4.9 and 4.14.
> > >
> > > Is KASLR supported on ARM-32 Linux 4.9 and above ?
> >
> > Sorry, this feature did not yet land in upstream:
> > https://github.com/KSPP/linux/issues/3
> >
> > Here was the earlier effort:
> > https://lore.kernel.org/kernel-hardening/20170814125411.22604-1-ard.biesheuvel@linaro.org/
> >
> > > Is it dependent on CONFIG_RANDOMIZE_BASE or
> >
> > CONFIG_RANDOMIZE_BASE is what is used on other architectures to control
> > the feature.
> >
> > > /proc/sys/kernel/randomize_va_space ?
> > > Is there any relation between these two?
> >
> > No, the latter is about userspace addresses.
> >
> > > Is the changing kernel symbols (in every boot), only possible if KASLR
> > > is enabled, or there is another way it can happen?
> >
> > I think you meant kernel symbol addresses (not the symbols themselves).
> > But yes, I wouldn't expect the addresses to move if you didn't either
> > rebuild the kernel or had something else moving the kernel at boot (i.e.
> > the boot loader).
> >
> > > I have these queries because,
> > > In one of the arm-32 devices with Kernel 4.14, I observed that
> > > CONFIG_RANDOMIZE_BASE is not available.
> > > But /proc/sys/kernel/randomize_va_space is set to 2.
> > > However, I also observed that symbol addresses are changing in every boot.
> > >
> > > 1st boot cycle:
> > > [root ~]# cat /proc/kallsyms | grep "sys_open"
> > > a5b4de92 T sys_open
> > > [root@sa515m ~]#
> > >
> > > 2nd boot cycle:
> > > [root ~]# cat /proc/kallsyms | grep "sys_open"
> > > f546ed66 T sys_open
> > >
> > > So, I am wondering how this is possible without KASLR
> > > (CONFIG_RANDOMIZE_BASE) support in Kernel ?
>
> Those addresses were obfuscated by kptr_restrict
Is that true? kptr_restrict zeros (rather than hashing) the kallsyms
view. And besides, the %p hashing was added in v4.15 (but also doesn't
touch kallsyms, which does all-or-nothing to avoid breaking stuff
like perf).
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Pintu Agarwal <pintu.ping@gmail.com>,
Mark Rutland <mark.rutland@arm.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Marc Zyngier <marc.zyngier@arm.com>,
Dave Martin <dave.martin@arm.com>,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
open list <linux-kernel@vger.kernel.org>,
Tony Lindgren <tony@atomide.com>,
matt@codeblueprint.co.uk, nico@linaro.org,
Thomas Garnier <thgarnie@google.com>,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14
Date: Fri, 25 Sep 2020 13:47:22 -0700 [thread overview]
Message-ID: <202009251338.D17FB071@keescook> (raw)
In-Reply-To: <CAMj1kXGtv84JHQfKoqOYyq=3m2w0Yuj_n4_Teo83zvdZ9kpZhw@mail.gmail.com>
On Fri, Sep 25, 2020 at 10:37:01PM +0200, Ard Biesheuvel wrote:
> On Fri, 25 Sep 2020 at 22:28, Kees Cook <keescook@chromium.org> wrote:
> >
> > On Fri, Sep 25, 2020 at 08:33:59PM +0530, Pintu Agarwal wrote:
> > > This is regarding the KASLR feature support on ARM for the kernel
> > > version 4.9 and 4.14.
> > >
> > > Is KASLR supported on ARM-32 Linux 4.9 and above ?
> >
> > Sorry, this feature did not yet land in upstream:
> > https://github.com/KSPP/linux/issues/3
> >
> > Here was the earlier effort:
> > https://lore.kernel.org/kernel-hardening/20170814125411.22604-1-ard.biesheuvel@linaro.org/
> >
> > > Is it dependent on CONFIG_RANDOMIZE_BASE or
> >
> > CONFIG_RANDOMIZE_BASE is what is used on other architectures to control
> > the feature.
> >
> > > /proc/sys/kernel/randomize_va_space ?
> > > Is there any relation between these two?
> >
> > No, the latter is about userspace addresses.
> >
> > > Is the changing kernel symbols (in every boot), only possible if KASLR
> > > is enabled, or there is another way it can happen?
> >
> > I think you meant kernel symbol addresses (not the symbols themselves).
> > But yes, I wouldn't expect the addresses to move if you didn't either
> > rebuild the kernel or had something else moving the kernel at boot (i.e.
> > the boot loader).
> >
> > > I have these queries because,
> > > In one of the arm-32 devices with Kernel 4.14, I observed that
> > > CONFIG_RANDOMIZE_BASE is not available.
> > > But /proc/sys/kernel/randomize_va_space is set to 2.
> > > However, I also observed that symbol addresses are changing in every boot.
> > >
> > > 1st boot cycle:
> > > [root ~]# cat /proc/kallsyms | grep "sys_open"
> > > a5b4de92 T sys_open
> > > [root@sa515m ~]#
> > >
> > > 2nd boot cycle:
> > > [root ~]# cat /proc/kallsyms | grep "sys_open"
> > > f546ed66 T sys_open
> > >
> > > So, I am wondering how this is possible without KASLR
> > > (CONFIG_RANDOMIZE_BASE) support in Kernel ?
>
> Those addresses were obfuscated by kptr_restrict
Is that true? kptr_restrict zeros (rather than hashing) the kallsyms
view. And besides, the %p hashing was added in v4.15 (but also doesn't
touch kallsyms, which does all-or-nothing to avoid breaking stuff
like perf).
--
Kees Cook
next prev parent reply other threads:[~2020-09-25 20:48 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-25 15:03 KASLR support on ARM with Kernel 4.9 and 4.14 Pintu Agarwal
2020-09-25 15:03 ` Pintu Agarwal
2020-09-25 15:03 ` Pintu Agarwal
2020-09-25 20:26 ` Kees Cook
2020-09-25 20:26 ` Kees Cook
2020-09-25 20:26 ` Kees Cook
2020-09-25 20:37 ` Ard Biesheuvel
2020-09-25 20:37 ` Ard Biesheuvel
2020-09-25 20:37 ` Ard Biesheuvel
2020-09-25 20:47 ` Kees Cook [this message]
2020-09-25 20:47 ` Kees Cook
2020-09-25 20:47 ` Kees Cook
2020-09-25 21:09 ` Ard Biesheuvel
2020-09-25 21:09 ` Ard Biesheuvel
2020-09-25 21:09 ` Ard Biesheuvel
2020-09-25 23:47 ` Kees Cook
2020-09-25 23:47 ` Kees Cook
2020-09-25 23:47 ` Kees Cook
2020-09-26 7:58 ` Pintu Agarwal
2020-09-26 7:58 ` Pintu Agarwal
2020-09-26 7:58 ` Pintu Agarwal
2020-09-26 16:40 ` Kees Cook
2020-09-26 16:40 ` Kees Cook
2020-09-26 16:40 ` Kees Cook
2020-09-28 13:45 ` Pintu Agarwal
2020-09-28 13:45 ` Pintu Agarwal
2020-09-28 13:45 ` Pintu Agarwal
2020-09-28 14:11 ` Pintu Agarwal
2020-09-28 14:11 ` Pintu Agarwal
2020-09-28 14:11 ` Pintu Agarwal
2020-09-28 19:50 ` Kees Cook
2020-09-28 19:50 ` Kees Cook
2020-09-28 19:50 ` Kees Cook
2020-09-30 13:58 ` Pintu Agarwal
2020-09-30 13:58 ` Pintu Agarwal
2020-09-30 13:58 ` Pintu Agarwal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202009251338.D17FB071@keescook \
--to=keescook@chromium.org \
--cc=ard.biesheuvel@linaro.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=dave.martin@arm.com \
--cc=kernelnewbies@kernelnewbies.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=matt@codeblueprint.co.uk \
--cc=nico@linaro.org \
--cc=pintu.ping@gmail.com \
--cc=thgarnie@google.com \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.