From: Kees Cook <keescook@chromium.org>
To: Pintu Agarwal <pintu.ping@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
Thomas Garnier <thgarnie@google.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Marc Zyngier <marc.zyngier@arm.com>,
open list <linux-kernel@vger.kernel.org>,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Ard Biesheuvel <ardb@kernel.org>,
Tony Lindgren <tony@atomide.com>,
nico@linaro.org, Dave Martin <dave.martin@arm.com>,
matt@codeblueprint.co.uk,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14
Date: Sat, 26 Sep 2020 09:40:43 -0700 [thread overview]
Message-ID: <202009260933.C603CD8@keescook> (raw)
In-Reply-To: <CAOuPNLif93a1uHhqsKFwhd35nfCnmRu_uxpB62shOEKyQ96hNw@mail.gmail.com>
On Sat, Sep 26, 2020 at 01:28:02PM +0530, Pintu Agarwal wrote:
> On Sat, 26 Sep 2020 at 05:17, Kees Cook <keescook@chromium.org> wrote:
> > >
> > > For a 3/1 split ARM kernel of the typical size, all kernel virtual
> > > addresses start with 0xc0, and given that the kernel is located at the
> > > start of the linear map, those addresses cannot change even if you
> > > move the kernel around in physical memory.
> >
> > I wonder if this is an Android Common kernel? I think there was %p
> > hashing in there before v4.15, but with a different implementation...
> >
>
> Hi,
> Thank you all for all your reply and comments so far!
> Here are some follow-up replies.
>
> >> What device is this? Is it a stock kernel?
> This is a Qualcomm Snapdragon Automotive board one with Linux Kernel
> 4.9 and one with 4.14.
>
> >> Is the boot loader changing the base address? (What boot loader are you
> >> using?)
> Ohh I did not knew that the bootloader can also change the base address.
> I think it uses UEFI.
> How to check if bootloader is doing this ?
> BTW, both 4.9 board and 4.14 board, uses same bootloader.
>
> >> I wonder if this is an Android Common kernel?
> It uses the below kernel for 4.14:
> https://gitlab.com/quicla/kernel/msm-4.14/-/tree/LE.UM.3.4.2.r1.5 (or
> similar branch).
Okay, so yes. And this appears to have the hashing of %p backported. I
cannot, however, explain why it's showing hashed pointers instead of
just NULL, though.
It might be related to these commits but they're not in that kernel:
3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
7bd57fbc4a4d ("vsprintf: don't obfuscate NULL and error pointers")
> ==> The case where symbol addresses are changing.
>
> kptr_restrict is set to 2 by default:
> / # cat /proc/sys/kernel/kptr_restrict
> 2
>
> Basically, the goal is:
> * To understand how addresses are changing in 4.14 Kernel (without
> KASLR support)?
> * Is it possible to support the same in 4.9 Kernel ?
Try setting kptr_restrict to 0 and see if the symbol addresses change? I
suspect Ard is correct: there's no KASLR here, just hashed pointers
behaving weird on an old non-stock kernel. :)
--
Kees Cook
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Pintu Agarwal <pintu.ping@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
Thomas Garnier <thgarnie@google.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Marc Zyngier <marc.zyngier@arm.com>,
open list <linux-kernel@vger.kernel.org>,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Ard Biesheuvel <ardb@kernel.org>,
Tony Lindgren <tony@atomide.com>,
nico@linaro.org, Dave Martin <dave.martin@arm.com>,
matt@codeblueprint.co.uk,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14
Date: Sat, 26 Sep 2020 09:40:43 -0700 [thread overview]
Message-ID: <202009260933.C603CD8@keescook> (raw)
In-Reply-To: <CAOuPNLif93a1uHhqsKFwhd35nfCnmRu_uxpB62shOEKyQ96hNw@mail.gmail.com>
On Sat, Sep 26, 2020 at 01:28:02PM +0530, Pintu Agarwal wrote:
> On Sat, 26 Sep 2020 at 05:17, Kees Cook <keescook@chromium.org> wrote:
> > >
> > > For a 3/1 split ARM kernel of the typical size, all kernel virtual
> > > addresses start with 0xc0, and given that the kernel is located at the
> > > start of the linear map, those addresses cannot change even if you
> > > move the kernel around in physical memory.
> >
> > I wonder if this is an Android Common kernel? I think there was %p
> > hashing in there before v4.15, but with a different implementation...
> >
>
> Hi,
> Thank you all for all your reply and comments so far!
> Here are some follow-up replies.
>
> >> What device is this? Is it a stock kernel?
> This is a Qualcomm Snapdragon Automotive board one with Linux Kernel
> 4.9 and one with 4.14.
>
> >> Is the boot loader changing the base address? (What boot loader are you
> >> using?)
> Ohh I did not knew that the bootloader can also change the base address.
> I think it uses UEFI.
> How to check if bootloader is doing this ?
> BTW, both 4.9 board and 4.14 board, uses same bootloader.
>
> >> I wonder if this is an Android Common kernel?
> It uses the below kernel for 4.14:
> https://gitlab.com/quicla/kernel/msm-4.14/-/tree/LE.UM.3.4.2.r1.5 (or
> similar branch).
Okay, so yes. And this appears to have the hashing of %p backported. I
cannot, however, explain why it's showing hashed pointers instead of
just NULL, though.
It might be related to these commits but they're not in that kernel:
3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
7bd57fbc4a4d ("vsprintf: don't obfuscate NULL and error pointers")
> ==> The case where symbol addresses are changing.
>
> kptr_restrict is set to 2 by default:
> / # cat /proc/sys/kernel/kptr_restrict
> 2
>
> Basically, the goal is:
> * To understand how addresses are changing in 4.14 Kernel (without
> KASLR support)?
> * Is it possible to support the same in 4.9 Kernel ?
Try setting kptr_restrict to 0 and see if the symbol addresses change? I
suspect Ard is correct: there's no KASLR here, just hashed pointers
behaving weird on an old non-stock kernel. :)
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Pintu Agarwal <pintu.ping@gmail.com>
Cc: Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Marc Zyngier <marc.zyngier@arm.com>,
Dave Martin <dave.martin@arm.com>,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
open list <linux-kernel@vger.kernel.org>,
Tony Lindgren <tony@atomide.com>,
matt@codeblueprint.co.uk, nico@linaro.org,
Thomas Garnier <thgarnie@google.com>,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: KASLR support on ARM with Kernel 4.9 and 4.14
Date: Sat, 26 Sep 2020 09:40:43 -0700 [thread overview]
Message-ID: <202009260933.C603CD8@keescook> (raw)
In-Reply-To: <CAOuPNLif93a1uHhqsKFwhd35nfCnmRu_uxpB62shOEKyQ96hNw@mail.gmail.com>
On Sat, Sep 26, 2020 at 01:28:02PM +0530, Pintu Agarwal wrote:
> On Sat, 26 Sep 2020 at 05:17, Kees Cook <keescook@chromium.org> wrote:
> > >
> > > For a 3/1 split ARM kernel of the typical size, all kernel virtual
> > > addresses start with 0xc0, and given that the kernel is located at the
> > > start of the linear map, those addresses cannot change even if you
> > > move the kernel around in physical memory.
> >
> > I wonder if this is an Android Common kernel? I think there was %p
> > hashing in there before v4.15, but with a different implementation...
> >
>
> Hi,
> Thank you all for all your reply and comments so far!
> Here are some follow-up replies.
>
> >> What device is this? Is it a stock kernel?
> This is a Qualcomm Snapdragon Automotive board one with Linux Kernel
> 4.9 and one with 4.14.
>
> >> Is the boot loader changing the base address? (What boot loader are you
> >> using?)
> Ohh I did not knew that the bootloader can also change the base address.
> I think it uses UEFI.
> How to check if bootloader is doing this ?
> BTW, both 4.9 board and 4.14 board, uses same bootloader.
>
> >> I wonder if this is an Android Common kernel?
> It uses the below kernel for 4.14:
> https://gitlab.com/quicla/kernel/msm-4.14/-/tree/LE.UM.3.4.2.r1.5 (or
> similar branch).
Okay, so yes. And this appears to have the hashing of %p backported. I
cannot, however, explain why it's showing hashed pointers instead of
just NULL, though.
It might be related to these commits but they're not in that kernel:
3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
7bd57fbc4a4d ("vsprintf: don't obfuscate NULL and error pointers")
> ==> The case where symbol addresses are changing.
>
> kptr_restrict is set to 2 by default:
> / # cat /proc/sys/kernel/kptr_restrict
> 2
>
> Basically, the goal is:
> * To understand how addresses are changing in 4.14 Kernel (without
> KASLR support)?
> * Is it possible to support the same in 4.9 Kernel ?
Try setting kptr_restrict to 0 and see if the symbol addresses change? I
suspect Ard is correct: there's no KASLR here, just hashed pointers
behaving weird on an old non-stock kernel. :)
--
Kees Cook
next prev parent reply other threads:[~2020-09-26 16:41 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-25 15:03 KASLR support on ARM with Kernel 4.9 and 4.14 Pintu Agarwal
2020-09-25 15:03 ` Pintu Agarwal
2020-09-25 15:03 ` Pintu Agarwal
2020-09-25 20:26 ` Kees Cook
2020-09-25 20:26 ` Kees Cook
2020-09-25 20:26 ` Kees Cook
2020-09-25 20:37 ` Ard Biesheuvel
2020-09-25 20:37 ` Ard Biesheuvel
2020-09-25 20:37 ` Ard Biesheuvel
2020-09-25 20:47 ` Kees Cook
2020-09-25 20:47 ` Kees Cook
2020-09-25 20:47 ` Kees Cook
2020-09-25 21:09 ` Ard Biesheuvel
2020-09-25 21:09 ` Ard Biesheuvel
2020-09-25 21:09 ` Ard Biesheuvel
2020-09-25 23:47 ` Kees Cook
2020-09-25 23:47 ` Kees Cook
2020-09-25 23:47 ` Kees Cook
2020-09-26 7:58 ` Pintu Agarwal
2020-09-26 7:58 ` Pintu Agarwal
2020-09-26 7:58 ` Pintu Agarwal
2020-09-26 16:40 ` Kees Cook [this message]
2020-09-26 16:40 ` Kees Cook
2020-09-26 16:40 ` Kees Cook
2020-09-28 13:45 ` Pintu Agarwal
2020-09-28 13:45 ` Pintu Agarwal
2020-09-28 13:45 ` Pintu Agarwal
2020-09-28 14:11 ` Pintu Agarwal
2020-09-28 14:11 ` Pintu Agarwal
2020-09-28 14:11 ` Pintu Agarwal
2020-09-28 19:50 ` Kees Cook
2020-09-28 19:50 ` Kees Cook
2020-09-28 19:50 ` Kees Cook
2020-09-30 13:58 ` Pintu Agarwal
2020-09-30 13:58 ` Pintu Agarwal
2020-09-30 13:58 ` Pintu Agarwal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202009260933.C603CD8@keescook \
--to=keescook@chromium.org \
--cc=ard.biesheuvel@linaro.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=dave.martin@arm.com \
--cc=kernelnewbies@kernelnewbies.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=matt@codeblueprint.co.uk \
--cc=nico@linaro.org \
--cc=pintu.ping@gmail.com \
--cc=thgarnie@google.com \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.