From patchwork Wed Aug 15 20:30:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 10566799 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C3675921 for ; Wed, 15 Aug 2018 20:34:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 839BB2ACA9 for ; Wed, 15 Aug 2018 20:34:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 76EED2B006; Wed, 15 Aug 2018 20:34:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD13D2ACA9 for ; Wed, 15 Aug 2018 20:34:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 18D696B026F; Wed, 15 Aug 2018 16:34:22 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 170F46B0271; Wed, 15 Aug 2018 16:34:22 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0539B6B0270; Wed, 15 Aug 2018 16:34:22 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) by kanga.kvack.org (Postfix) with ESMTP id B7CAE6B026D for ; Wed, 15 Aug 2018 16:34:21 -0400 (EDT) Received: by mail-pg1-f200.google.com with SMTP id t5-v6so1009295pgp.17 for ; Wed, 15 Aug 2018 13:34:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id; bh=OGTx/soBTMgwNXxS8e03+oVEg3CImV7B57C/DY25ElY=; b=PvH1Vi49idYFQugEqFpqA1UJyH5+vJwMI/YQF7JccWGqzgvVIljTzrrtqXBui6nhHh T6drct+ijPOFsBsfNMjCB/2hWnEtNHPXXFTRowber32vDoKssF53eoiPmu0aIQFpGaqY QTgotMaOjx7cY8ZmcqLjQk8qUZHxcdngdqr3VpEsG9iYjqzbF+aDgPT6ChrPV74RG1sZ E9L3lxgC/bk0/lKu3+W7HUhv8AlJWBVaCYlqPKVACh+jyl393LSmg/o2lVO/2fIWWWC+ w/eohdbj0+54sllj0eV7OMHD77fAKSvu00u8jrlls+C661WCCa47+wyz4mxlZt9WiG84 B1Sw== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: AOUpUlHupzN4f5E3Trq4wO44K3wsUyYdNeZ3rWEunZdZMHiwZa8OclID YaMuHhJ4j/0ly4G+0XPDNzX6cp4H031Ah64uHyKkN5H3o5uv2JeFVGIWMiqc4+5Attn1rG/h9+J PEZAJPd7g/+VYRHpL4421Z3P7inmLyDet2d4H64ipNX6iT03FOojCJV0Thu27f6S6/g== X-Received: by 2002:a62:3856:: with SMTP id f83-v6mr29437331pfa.48.1534365261422; Wed, 15 Aug 2018 13:34:21 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzw98hcFen0AKfE4hxBj9pzFOnNR6mXezJSnMfLm29L2o71B0JJWwJxnZM8K4f9EaOzHKXM X-Received: by 2002:a62:3856:: with SMTP id f83-v6mr29437286pfa.48.1534365260448; Wed, 15 Aug 2018 13:34:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534365260; cv=none; d=google.com; s=arc-20160816; b=HQqrk3SM7ViRbfX1STYq11cTEx1+trdzasJXMmcT1t1ovRWpcasLitaLwlajsj5fOu tDtmgLgMNgZs+Bs4iByZC+fS+qrhSnlICkPjx7fdzOKFZKw7maX9qyhAOrzNHajfVbWW l7f1golIUhqWQH2sFmRW6VrC1xNSLujcqmpomWgMGBwfYjl50LzdI8K57FiDZ3/m63pA dBTQoYtDzVuLq/gCFUkS7qMhXEJotoUhOjeKSr0vEjwYDmq/Ij7hbkqFdvaSh9D3GUIb 6rzU4KscXuWVxBzvVxD6oY/eAxexXaRn1sUs831WNR18ptbREM+M6HuEVCehwBSpWaow cUdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:arc-authentication-results; bh=OGTx/soBTMgwNXxS8e03+oVEg3CImV7B57C/DY25ElY=; b=DiE+IpyPcBJVASgdtbZfCw4F2X6EDLbB/hghQI/gpO6YWR0HDJnCZoxRYM+HQSbnrs E85Wf15H2unUTMhQUwtb44kZnTBG26hECU+xzvBSI94MTFXjbG66gTqYI0LyWth21i19 B8bxrgRNRo+gCL2jH0RjdNHZ24+qhSTZo5T+rLlky60qQd+egx5jpYDGLU2jVbhR3Cl/ AYB/wlklegoHaRK3GNj85InHDK+ndprrh7Ze3IqNBYK/9REv9o3y1UDgAgVBBfKEMGtT qz8CTmp5Ie+gCxF5AAweiW4CIxmn/Tisx4iMn1vWThrVMjH9dGbw8m0jn68RJRDNEY6e Zf/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga03.intel.com (mga03.intel.com. [134.134.136.65]) by mx.google.com with ESMTPS id n3-v6si18917408pld.146.2018.08.15.13.34.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Aug 2018 13:34:20 -0700 (PDT) Received-SPF: pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) client-ip=134.134.136.65; Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Aug 2018 13:34:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,244,1531810800"; d="scan'208";a="224930391" Received: from rpedgeco-hp-z240-tower-workstation.jf.intel.com (HELO rpedgeco-DESK5.jf.intel.com) ([10.54.75.168]) by orsmga004.jf.intel.com with ESMTP; 15 Aug 2018 13:34:18 -0700 From: Rick Edgecombe To: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, daniel@iogearbox.net, jannh@google.com, keescook@chromium.org Cc: kristen@linux.intel.com, dave.hansen@intel.com, arjan@linux.intel.com, Rick Edgecombe Subject: [PATCH v3 0/3] KASLR feature to randomize each loadable module Date: Wed, 15 Aug 2018 13:30:16 -0700 Message-Id: <1534365020-18943-1-git-send-email-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.7.4 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hi, This is V3 of the "KASLR feature to randomize each loadable module" patchset. The purpose is to increase the randomization and also to make the modules randomized in relation to each other instead of just the base, so that if one module leaks the location of the others can't be inferred. V3 is a code cleanup from the V2 I had sent out RFC. The performance and memory usage is the same as V2, in summary: - Average allocation 2-4 times better than existing algorithm - Max allocation time usually faster than the existing algorithm - TLB flushes close to existing algorithm, within 1% for <1000 modules, - Memory usage (for PTEs) usually ~1MB higher than existing algorithm - Average module capacity slightly reduced, in the range of 17000 for both For runtime performance, a synthetic benchmark was run that does 5000000 BPF JIT invocations each, from varying numbers of parallel processes, while the kernel compiles sharing the same CPU to stand in for the cache impact of a real workload. The seccomp filter invocations were just Jann Horn's seccomp filtering test from this thread http://openwall.com/lists/kernel-hardening/2018/07/18/2, except non-real time priority. The kernel was configured with KPTI and retpoline, and pcid was disabled. There wasn't any significant difference between the new and the old. Changes for V3: - Code cleanup based on internal feedback. (thanks to Dave Hansen and Andriy Shevchenko) - Slight refactor of existing algorithm to more cleanly live along side new one. - BPF synthetic benchmark Changes for V2: - New implementation of __vmalloc_node_try_addr based on the __vmalloc_node_range implementation, that only flushes TLB when needed. - Modified module loading algorithm to try to reduce the TLB flushes further. - Increase "random area" tries in order to increase the number of modules that can get high randomness. - Increase "random area" size to 2/3 of module area in order to increase the number of modules that can get high randomness. - Fix for 0day failures on other architectures. - Fix for wrong debugfs permissions. (thanks to Jann Horn) - Spelling fix. (thanks to Jann Horn) - Data on module_alloc performance and TLB flushes. (brought up by Kees Cook and Jann Horn) - Data on memory usage. (suggested by Jann) Rick Edgecombe (3): vmalloc: Add __vmalloc_node_try_addr function x86/modules: Increase randomization for modules vmalloc: Add debugfs modfraginfo arch/x86/include/asm/pgtable_64_types.h | 7 + arch/x86/kernel/module.c | 163 ++++++++++++++++--- include/linux/vmalloc.h | 3 + mm/vmalloc.c | 266 +++++++++++++++++++++++++++++++- 4 files changed, 415 insertions(+), 24 deletions(-)