arch/x86/kernel/sys_x86_64.c: rationale for 0x40000000 for MAP_32BIT's start address?

arch/x86/kernel/sys_x86_64.c: rationale for 0x40000000 for MAP_32BIT's start address?

[hapter]

I've found that passing in MAP_32BIT for mmap() will always return an 
address above 0x40000000. The problem seems to lie in 
arch/x86/kernek/sys_x86_64.c, where the following comment is the only 
thing close to a hint(Line 100):

/* This is usually used needed to map code in small
    model, so it needs to be in the first 31bit. Limit
    it to that.  This means we need to move the
    unmapped base down for this case. This can give
    conflicts with the heap, but we assume that glibc
    malloc knows how to fall back to mmap. Give it 1GB
    of playground for now. -AK */

Unfortunately this does not supply a rationale for starting from 
0x40000000, which seems very arbitrary, and the git commit has been 
there since the beginning of time (i.e. as far the the git history 
goes), so the git blame has not helped much to clarify it. I was also 
not able to find who "AK" was.

I have found another operating system that provides MAP_32BIT, FreeBSD, 
to not exhibit the same behavior and not cause any execution problems 
for RWX pages allocated below 0x40000000, so it does not seem a 
technical rationale exists either.

mmap will happily return 0x10000 (which seems like the lowest address 
the kernel will map when you supply it as a hint, so I do not see any 
reason not to start the find from 0x10000, or something that isn't as 
big as 0x40000000, which is big enough to impose a significant handicap 
for applications using MAP_32BIT (e.g. JITs that want to use CALL rel32 
at all times).

I will happily await for any clarifications on this matter.

- hapter

Re: arch/x86/kernel/sys_x86_64.c: rationale for 0x40000000 for MAP_32BIT's start address?

[Bagas Sanjaya]

[-- Attachment #1: Type: text/plain, Size: 1892 bytes --]

On Sun, Feb 11, 2024 at 08:52:45AM +0000, hapter@420blaze.it wrote:
> I've found that passing in MAP_32BIT for mmap() will always return an
> address above 0x40000000. The problem seems to lie in
From one gigabyte up?
> arch/x86/kernek/sys_x86_64.c, where the following comment is the only thing
> close to a hint(Line 100):
> 
> /* This is usually used needed to map code in small
>    model, so it needs to be in the first 31bit. Limit
>    it to that.  This means we need to move the
>    unmapped base down for this case. This can give
>    conflicts with the heap, but we assume that glibc
>    malloc knows how to fall back to mmap. Give it 1GB
>    of playground for now. -AK */
> 
> Unfortunately this does not supply a rationale for starting from 0x40000000,
> which seems very arbitrary, and the git commit has been there since the
> beginning of time (i.e. as far the the git history goes), so the git blame
> has not helped much to clarify it. I was also not able to find who "AK" was.

That was from commit 717db2f9f36805 ("[PATCH] x86-64 updates for 2.5.54")
in tglx/history.git repo [1], authored by Andi Kleen. Cc'ing him.

> 
> I have found another operating system that provides MAP_32BIT, FreeBSD, to
> not exhibit the same behavior and not cause any execution problems for RWX
> pages allocated below 0x40000000, so it does not seem a technical rationale
> exists either.
> 
> mmap will happily return 0x10000 (which seems like the lowest address the
> kernel will map when you supply it as a hint, so I do not see any reason not
> to start the find from 0x10000, or something that isn't as big as
> 0x40000000, which is big enough to impose a significant handicap for
> applications using MAP_32BIT (e.g. JITs that want to use CALL rel32 at all
> times).
> 

Confused...

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: arch/x86/kernel/sys_x86_64.c: rationale for 0x40000000 for MAP_32BIT's start address?

[Bagas Sanjaya]

On 2/12/24 09:43, Bagas Sanjaya wrote:
> On Sun, Feb 11, 2024 at 08:52:45AM +0000, hapter@420blaze.it wrote:
>> I've found that passing in MAP_32BIT for mmap() will always return an
>> address above 0x40000000. The problem seems to lie in
> From one gigabyte up?
>> arch/x86/kernek/sys_x86_64.c, where the following comment is the only thing
>> close to a hint(Line 100):
>>
>> /* This is usually used needed to map code in small
>>    model, so it needs to be in the first 31bit. Limit
>>    it to that.  This means we need to move the
>>    unmapped base down for this case. This can give
>>    conflicts with the heap, but we assume that glibc
>>    malloc knows how to fall back to mmap. Give it 1GB
>>    of playground for now. -AK */
>>
>> Unfortunately this does not supply a rationale for starting from 0x40000000,
>> which seems very arbitrary, and the git commit has been there since the
>> beginning of time (i.e. as far the the git history goes), so the git blame
>> has not helped much to clarify it. I was also not able to find who "AK" was.
> 
> That was from commit 717db2f9f36805 ("[PATCH] x86-64 updates for 2.5.54")
> in tglx/history.git repo [1], authored by Andi Kleen. Cc'ing him.
> 

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/arch/x86_64/kernel/sys_x86_64.c?id=717db2f9f36805d85c695771ea7d712812896aa7

-- 
An old man doll... just what I always wanted! - Clara

Re: arch/x86/kernel/sys_x86_64.c: rationale for 0x40000000 for MAP_32BIT's start address?

[H. Peter Anvin]

On February 11, 2024 12:52:45 AM PST, hapter@420blaze.it wrote:
>I've found that passing in MAP_32BIT for mmap() will always return an address above 0x40000000. The problem seems to lie in arch/x86/kernek/sys_x86_64.c, where the following comment is the only thing close to a hint(Line 100):
>
>/* This is usually used needed to map code in small
>   model, so it needs to be in the first 31bit. Limit
>   it to that.  This means we need to move the
>   unmapped base down for this case. This can give
>   conflicts with the heap, but we assume that glibc
>   malloc knows how to fall back to mmap. Give it 1GB
>   of playground for now. -AK */
>
>Unfortunately this does not supply a rationale for starting from 0x40000000, which seems very arbitrary, and the git commit has been there since the beginning of time (i.e. as far the the git history goes), so the git blame has not helped much to clarify it. I was also not able to find who "AK" was.
>
>I have found another operating system that provides MAP_32BIT, FreeBSD, to not exhibit the same behavior and not cause any execution problems for RWX pages allocated below 0x40000000, so it does not seem a technical rationale exists either.
>
>mmap will happily return 0x10000 (which seems like the lowest address the kernel will map when you supply it as a hint, so I do not see any reason not to start the find from 0x10000, or something that isn't as big as 0x40000000, which is big enough to impose a significant handicap for applications using MAP_32BIT (e.g. JITs that want to use CALL rel32 at all times).
>
>I will happily await for any clarifications on this matter.
>
>- hapter

Yes it does. It is the heap, as described in the comment.

Does anyone know why glibc still uses the brk heap? It seems like a relic from a bygone time.

Re: arch/x86/kernel/sys_x86_64.c: rationale for 0x40000000 for MAP_32BIT's start address?

[Andi Kleen]

> >> Unfortunately this does not supply a rationale for starting from 0x40000000,
> >> which seems very arbitrary, and the git commit has been there since the
> >> beginning of time (i.e. as far the the git history goes), so the git blame
> >> has not helped much to clarify it. I was also not able to find who "AK" was.
> > 
> > That was from commit 717db2f9f36805 ("[PATCH] x86-64 updates for 2.5.54")
> > in tglx/history.git repo [1], authored by Andi Kleen. Cc'ing him.
> > 
> 
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/arch/x86_64/kernel/sys_x86_64.c?id=717db2f9f36805d85c695771ea7d712812896aa7

I thought the comment was clear? The 1GB start is to avoid conflicts with the brk heap,
which grows up.

The flag is really obsolete, if you want limited relocations there are
better ways to do it that don't limit ASLR. 

It was originally because the custom module loader in X.org didn't support a PLT.


-Andi