From patchwork Tue Nov 20 23:23:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 10691401 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B7D2416B1 for ; Tue, 20 Nov 2018 23:22:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A45242ABE0 for ; Tue, 20 Nov 2018 23:22:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 988EA2ABED; Tue, 20 Nov 2018 23:22:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D9F2F2ABE0 for ; Tue, 20 Nov 2018 23:22:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7033B6B227E; Tue, 20 Nov 2018 18:22:09 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 361746B227D; Tue, 20 Nov 2018 18:22:09 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 07C866B2282; Tue, 20 Nov 2018 18:22:08 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by kanga.kvack.org (Postfix) with ESMTP id 9192E6B227D for ; Tue, 20 Nov 2018 18:22:08 -0500 (EST) Received: by mail-pl1-f198.google.com with SMTP id o23so4285660pll.0 for ; Tue, 20 Nov 2018 15:22:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=pmqRVlwThZ3gV6FpDi77XAXWmrabinWWNF8l1nqzCoo=; b=ApD0yaJO1vxQ3NCKx2a6M5QYPVk2Yqd4IytSu9+1sQTb0TfNY/OqFa7YbNlCnkIF1y ZVp4blXy5GNvVdKDRLar5Ti6z2Myn8FoPMLTn07DR9pGmYnXtjFlHLNPbY7rHYYeHMXQ D6f4mwHgZhMQ2uwLdHxpHXsH2T0vJoFJGT5z4vjrY0VHK3aGDMEDOkYUYBHCMHWz7MRX D6Q8vn2MkMuKSMuMUKlRUBzUBc8LmdyukpENaTtngYKlFrYVWMgCFIG0dn7Gqk/MsnuF 4BSv/ea63NmNO4AmuHaexuwM3ZpfqQcTKGoET177rAJJaRPvVPjbTskhhs5WaYD30V65 pa6g== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: AGRZ1gJuLS6+238SMvsRIJcHbziXF62j+X3oenGl1EIxAnpApys5APde oBqSIFEzPJJL8H8csaH03C7PQXBoAc5ULtU/eybLdyK1Tj1vPu/qwQZZurNRg8z4wwXfLAvg+BX G5xr9pwIgPvdqEvMn0wPA0pZz46JF+x2HJfXUdKhJcXoMZkri/wwwMaENDHMZk0fQsw== X-Received: by 2002:a62:2095:: with SMTP id m21-v6mr4295633pfj.32.1542756128174; Tue, 20 Nov 2018 15:22:08 -0800 (PST) X-Google-Smtp-Source: AJdET5d8EL5KIMijgW3T1Ou4cqHYdRHngxXIT6NHlNd4L79haLvq2jxHeov71APM/wJQ0fu1+a9u X-Received: by 2002:a62:2095:: with SMTP id m21-v6mr4295555pfj.32.1542756126724; Tue, 20 Nov 2018 15:22:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542756126; cv=none; d=google.com; s=arc-20160816; b=UQ2X8eYNt9pel9RBxBBLnlwEk6lmHw7fVVt0Oo5VCVIxneguSVELpttK3fFDHKq3RT rAsQUZl9gn4F3rGyG9Iag9R6jZeLlrWsGpBX2c/Wdbsa7CJZBepCyLnEZcd7+8FF9TjG 3T2oTTjfNfErFE6s3OoFK25ofZaqKf81sv6xO7AO86hkFP2q5zMc8yJkxk8OfPQHraQQ 3/nGKHTM1bOpXyl/FT2p82EAS76bZPgnYZi6bDxdkrkRfKx5x3oqpbH+G1NS7TR+Q90b sXnzER3Kbwqs2oXhDYeQhhftbMt3Bs1Z796k0mIvjSl0uhuGzfdEcvn0dYRNWoedFr0q Etfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=pmqRVlwThZ3gV6FpDi77XAXWmrabinWWNF8l1nqzCoo=; b=BfI3rsVW2v9Sa9K49NrOAJiGEGCiBEnnJyMTGsFKJwa7Bk4cAN9ZsJ61ZplbmcFLWr W55AdcOrcDLp6Y4bgxSiPsgW1g/x9IOKWy+cgUj1KpuHYGZK2AnUV4HKQqPqa95SqmBI +GXc9g8SWXADf4Ee7JB7ja1me+Hi+4G+OBh+LpuTc4+m6AIU4KLW7g+u6U0+X+zTBtql BkV2LMfMNzG0IzOSynLpiymgUYJiebaYdEKHWsTcf5UqAR/81OloXSOVS3g0dlDkPXLt uHQPZIotffO8hK9ksvtB2LGs+98WRO14TMpMmnhs0S5l8vqOZLE8zFs/7XPQ9s0YjHN9 8HCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga17.intel.com (mga17.intel.com. [192.55.52.151]) by mx.google.com with ESMTPS id k11si39459676pgh.132.2018.11.20.15.22.06 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Nov 2018 15:22:06 -0800 (PST) Received-SPF: pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.151 as permitted sender) client-ip=192.55.52.151; Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2018 15:22:05 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,258,1539673200"; d="scan'208";a="251330793" Received: from rpedgeco-desk5.jf.intel.com ([10.54.75.128]) by orsmga004.jf.intel.com with ESMTP; 20 Nov 2018 15:22:05 -0800 From: Rick Edgecombe To: jeyu@kernel.org, akpm@linux-foundation.org, willy@infradead.org, tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, daniel@iogearbox.net, jannh@google.com, keescook@chromium.org Cc: kristen@linux.intel.com, dave.hansen@intel.com, arjan@linux.intel.com, Rick Edgecombe Subject: [PATCH v9 RESEND 2/4] x86/modules: Increase randomization for modules Date: Tue, 20 Nov 2018 15:23:10 -0800 Message-Id: <20181120232312.30037-3-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181120232312.30037-1-rick.p.edgecombe@intel.com> References: <20181120232312.30037-1-rick.p.edgecombe@intel.com> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This changes the behavior of the KASLR logic for allocating memory for the text sections of loadable modules. It randomizes the location of each module text section with about 17 bits of entropy in typical use. This is enabled on X86_64 only. For 32 bit, the behavior is unchanged. It refactors existing code around module randomization somewhat. There are now three different behaviors for x86 module_alloc depending on config. RANDOMIZE_BASE=n, and RANDOMIZE_BASE=y ARCH=x86_64, and RANDOMIZE_BASE=y ARCH=i386. The refactor of the existing code is to try to clearly show what those behaviors are without having three separate versions or threading the behaviors in a bunch of little spots. The reason it is not enabled on 32 bit yet is because the module space is much smaller and simulations haven't been run to see how it performs. The new algorithm breaks the module space in two, a random area and a backup area. It first tries to allocate at a number of randomly located starting pages inside the random section. If this fails, then it will allocate in the backup area. The backup area base will be offset in the same way as the current algorithm does for the base area, 1024 possible locations. Due to boot_params being defined with different types in different places, placing the config helpers modules.h or kaslr.h caused conflicts elsewhere, and so they are placed in a new file, kaslr_modules.h, instead. Signed-off-by: Rick Edgecombe --- arch/x86/Kconfig | 3 + arch/x86/include/asm/kaslr_modules.h | 38 ++++++++ arch/x86/include/asm/pgtable_64_types.h | 7 ++ arch/x86/kernel/module.c | 111 +++++++++++++++++++----- 4 files changed, 136 insertions(+), 23 deletions(-) create mode 100644 arch/x86/include/asm/kaslr_modules.h diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index ba7e3464ee92..db93cde0528a 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2144,6 +2144,9 @@ config RANDOMIZE_BASE If unsure, say Y. +config RANDOMIZE_FINE_MODULE + def_bool y if RANDOMIZE_BASE && X86_64 && !CONFIG_UML + # Relocation on x86 needs some additional build support config X86_NEED_RELOCS def_bool y diff --git a/arch/x86/include/asm/kaslr_modules.h b/arch/x86/include/asm/kaslr_modules.h new file mode 100644 index 000000000000..1da6eced4b47 --- /dev/null +++ b/arch/x86/include/asm/kaslr_modules.h @@ -0,0 +1,38 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_KASLR_MODULES_H_ +#define _ASM_KASLR_MODULES_H_ + +#ifdef CONFIG_RANDOMIZE_BASE +/* kaslr_enabled is not always defined */ +static inline int kaslr_mod_randomize_base(void) +{ + return kaslr_enabled(); +} +#else +static inline int kaslr_mod_randomize_base(void) +{ + return 0; +} +#endif /* CONFIG_RANDOMIZE_BASE */ + +#ifdef CONFIG_RANDOMIZE_FINE_MODULE +/* kaslr_enabled is not always defined */ +static inline int kaslr_mod_randomize_each_module(void) +{ + return kaslr_enabled(); +} + +static inline unsigned long get_modules_rand_len(void) +{ + return MODULES_RAND_LEN; +} +#else +static inline int kaslr_mod_randomize_each_module(void) +{ + return 0; +} + +unsigned long get_modules_rand_len(void); +#endif /* CONFIG_RANDOMIZE_FINE_MODULE */ + +#endif diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 04edd2d58211..5e26369ab86c 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -143,6 +143,13 @@ extern unsigned int ptrs_per_p4d; #define MODULES_END _AC(0xffffffffff000000, UL) #define MODULES_LEN (MODULES_END - MODULES_VADDR) +/* + * Dedicate the first part of the module space to a randomized area when KASLR + * is in use. Leave the remaining part for a fallback if we are unable to + * allocate in the random area. + */ +#define MODULES_RAND_LEN PAGE_ALIGN((MODULES_LEN/3)*2) + #define ESPFIX_PGD_ENTRY _AC(-2, UL) #define ESPFIX_BASE_ADDR (ESPFIX_PGD_ENTRY << P4D_SHIFT) diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c index b052e883dd8c..35cb912ed1f8 100644 --- a/arch/x86/kernel/module.c +++ b/arch/x86/kernel/module.c @@ -36,6 +36,7 @@ #include #include #include +#include #if 0 #define DEBUGP(fmt, ...) \ @@ -48,34 +49,96 @@ do { \ } while (0) #endif -#ifdef CONFIG_RANDOMIZE_BASE static unsigned long module_load_offset; +static const unsigned long NO_TRY_RAND = 10000; /* Mutex protects the module_load_offset. */ static DEFINE_MUTEX(module_kaslr_mutex); static unsigned long int get_module_load_offset(void) { - if (kaslr_enabled()) { - mutex_lock(&module_kaslr_mutex); - /* - * Calculate the module_load_offset the first time this - * code is called. Once calculated it stays the same until - * reboot. - */ - if (module_load_offset == 0) - module_load_offset = - (get_random_int() % 1024 + 1) * PAGE_SIZE; - mutex_unlock(&module_kaslr_mutex); - } + mutex_lock(&module_kaslr_mutex); + /* + * Calculate the module_load_offset the first time this + * code is called. Once calculated it stays the same until + * reboot. + */ + if (module_load_offset == 0) + module_load_offset = (get_random_int() % 1024 + 1) * PAGE_SIZE; + mutex_unlock(&module_kaslr_mutex); + return module_load_offset; } -#else -static unsigned long int get_module_load_offset(void) + +static unsigned long get_module_vmalloc_start(void) { - return 0; + unsigned long addr = MODULES_VADDR; + + if (kaslr_mod_randomize_base()) + addr += get_module_load_offset(); + + if (kaslr_mod_randomize_each_module()) + addr += get_modules_rand_len(); + + return addr; +} + +static void *try_module_alloc(unsigned long addr, unsigned long size) +{ + const unsigned long vm_flags = 0; + + return __vmalloc_node_try_addr(addr, size, GFP_KERNEL, PAGE_KERNEL_EXEC, + vm_flags, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +/* + * Find a random address to try that won't obviously not fit. Random areas are + * allowed to overflow into the backup area + */ +static unsigned long get_rand_module_addr(unsigned long size) +{ + unsigned long nr_max_pos = (MODULES_LEN - size) / MODULE_ALIGN + 1; + unsigned long nr_rnd_pos = get_modules_rand_len() / MODULE_ALIGN; + unsigned long nr_pos = min(nr_max_pos, nr_rnd_pos); + + unsigned long module_position_nr = get_random_long() % nr_pos; + unsigned long offset = module_position_nr * MODULE_ALIGN; + + return MODULES_VADDR + offset; +} + +/* + * Try to allocate in the random area at 10000 random addresses. If these + * fail, return NULL. + */ +static void *try_module_randomize_each(unsigned long size) +{ + void *p = NULL; + unsigned int i; + + /* This will have a guard page */ + unsigned long va_size = PAGE_ALIGN(size) + PAGE_SIZE; + + if (!kaslr_mod_randomize_each_module()) + return NULL; + + /* Make sure there is at least one address that might fit. */ + if (va_size < PAGE_ALIGN(size) || va_size > MODULES_LEN) + return NULL; + + /* Try to find a spot that doesn't need a lazy purge */ + for (i = 0; i < NO_TRY_RAND; i++) { + unsigned long addr = get_rand_module_addr(va_size); + + p = try_module_alloc(addr, size); + + if (p) + return p; + } + + return NULL; } -#endif void *module_alloc(unsigned long size) { @@ -84,16 +147,18 @@ void *module_alloc(unsigned long size) if (PAGE_ALIGN(size) > MODULES_LEN) return NULL; - p = __vmalloc_node_range(size, MODULE_ALIGN, - MODULES_VADDR + get_module_load_offset(), - MODULES_END, GFP_KERNEL, - PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, - __builtin_return_address(0)); + p = try_module_randomize_each(size); + + if (!p) + p = __vmalloc_node_range(size, MODULE_ALIGN, + get_module_vmalloc_start(), MODULES_END, + GFP_KERNEL, PAGE_KERNEL_EXEC, 0, + NUMA_NO_NODE, __builtin_return_address(0)); + if (p && (kasan_module_alloc(p, size) < 0)) { vfree(p); return NULL; } - return p; }