Re: [PATCH] ASLRv3: randomize_va_space=3 preventing offset2lib attack

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Hector Marco <hecmargi@upv.es>, linux-kernel@vger.kernel.org
Cc: akpm@linux-foundation.org, tglx@linutronix.de, mingo@redhat.com,
	hpa@zytor.com, linux@arm.linux.org.uk, catalin.marinas@arm.com,
	will.deacon@arm.com, oleg@redhat.com, luto@amacapital.net,
	keescook@chromium.org, Heiko Carstens <heiko.carstens@de.ibm.com>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Anton Blanchard <anton@samba.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: Re: [PATCH] ASLRv3: randomize_va_space=3 preventing offset2lib attack
Date: Mon, 08 Dec 2014 21:09:21 +0100	[thread overview]
Message-ID: <54860571.4060803@de.ibm.com> (raw)
In-Reply-To: <5480F756.90106@upv.es>

Am 05.12.2014 um 01:07 schrieb Hector Marco:
> [PATCH] ASLRv3: randomize_va_space=3 preventing offset2lib attack
> 
>   The issue appears on PIE linked executables when all memory areas of
>   a process are randomized (randomize_va_space=2). In this case, the
>   attack "offset2lib" de-randomizes all library areas on 64 bit Linux
>   systems in less than one second.
> 
>   Further details of the PoC attack at:
>   http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
> 
>   PIE linked applications are loaded side by side with the dynamic
>   libraries, which is exploited by the offset2lib attack. Moving away
>   the executable from the mmap_base area (libraries area) prevents the
>   attack.
> 
>   This patch loads the PIE linked executable in a different area than
>   the libraries when randomize_va_space=3.
> 
>   Patch implementation details:
> 
>    - The ELF_ET_DYN_BASE address is used as the base to load randomly
>      the PIE executable.
> 
>    - The executable image has the same entropy than
>      randomize_va_space=2.
[...]
> --- a/arch/arm/mm/mmap.c
> +++ b/arch/arm/mm/mmap.c
[...]
> --- a/arch/arm64/mm/mmap.c
> +++ b/arch/arm64/mm/mmap.c
[...]

> --- a/arch/x86/mm/mmap.c
> +++ b/arch/x86/mm/mmap.c
[...]

FWIW, please note that s390 and power (maybe others?) also have PIE support done differently, e.g.
commit d2c9dfccbc3 ("[S390] Randomize PIEs") and commit 501cb16d3cfdc ("powerpc: Randomise PIEs")

What I can tell from a quick look both architectures should be fine regarding offsetlib, as they place the executable already in a different section and randomize those differently even with randomize_va_space=2.

Would it make sense to unify the implementations again?

Christian

next prev parent reply	other threads:[~2014-12-08 20:09 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-05  0:07 [PATCH] ASLRv3: randomize_va_space=3 preventing offset2lib attack Hector Marco
2014-12-05 20:08 ` Kees Cook
2014-12-08 22:15   ` Hector Marco Gisbert
2014-12-05 22:00 ` Andy Lutomirski
2014-12-08 20:09 ` Christian Borntraeger [this message]
2014-12-09 17:37   ` Kees Cook
     [not found] <5489E6D2.2060200@upv.es>
2014-12-11 20:12 ` Hector Marco
2014-12-11 22:11   ` Kees Cook
2014-12-12 16:32     ` Hector Marco
2014-12-12 17:17       ` Andy Lutomirski
2014-12-19 22:04         ` Hector Marco
2014-12-19 22:11           ` Andy Lutomirski
2014-12-19 22:19             ` Cyrill Gorcunov
2014-12-19 23:53             ` Andy Lutomirski
2014-12-22 17:36               ` Hector Marco Gisbert
2014-12-22 17:56                 ` Andy Lutomirski
2014-12-22 19:49                   ` Jiri Kosina
2014-12-22 20:00                     ` Andy Lutomirski
2014-12-22 20:03                       ` Jiri Kosina
2014-12-22 20:13                         ` Andy Lutomirski
2014-12-22 23:23                   ` Hector Marco Gisbert
2014-12-22 23:38                     ` Andy Lutomirski
     [not found]                       ` <CAH4rwTKeN0P84FJnocoKV4t9rc2Ox_EYc+LEibD+Y83n7C8aVA@mail.gmail.com>
2014-12-23  8:15                         ` Andy Lutomirski
2014-12-23 20:06                           ` Hector Marco Gisbert
2014-12-23 20:53                             ` Andy Lutomirski
2015-01-07 17:26     ` Hector Marco Gisbert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54860571.4060803@de.ibm.com \
    --to=borntraeger@de.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=anton@samba.org \
    --cc=benh@kernel.crashing.org \
    --cc=catalin.marinas@arm.com \
    --cc=hecmargi@upv.es \
    --cc=heiko.carstens@de.ibm.com \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@arm.linux.org.uk \
    --cc=luto@amacapital.net \
    --cc=mingo@redhat.com \
    --cc=oleg@redhat.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=tglx@linutronix.de \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox