From patchwork Sat Feb 10 09:18:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13552219 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08D57C4829A for ; Sat, 10 Feb 2024 09:18:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CD8B86B006E; Sat, 10 Feb 2024 04:18:44 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C88FA6B0072; Sat, 10 Feb 2024 04:18:44 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B820F6B0074; Sat, 10 Feb 2024 04:18:44 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id A8FBC6B006E for ; Sat, 10 Feb 2024 04:18:44 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 4BB438045A for ; Sat, 10 Feb 2024 09:18:44 +0000 (UTC) X-FDA: 81775344168.12.4C70264 Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43]) by imf29.hostedemail.com (Postfix) with ESMTP id 5467D120002 for ; Sat, 10 Feb 2024 09:18:41 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=K51Z45sT; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.43 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707556721; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=bbrnpouUuffedythjQ6MAxMQbInpAn6Da5zEha5uHkM=; b=g0DQeHi3CcOdqcGy6qhaJhaVvZcUVOnU/JcQW1DN+skzHHiUJnrP9ZV8Tq5XSsXQ1GijQL BmW6HgVErP1WVn23u3erntWMSvPNyIiP15c9pS0/0gCAaPP0k3O52bpQWxkEkCbHMFIQ8L YNCtp0K1DjLYBCaGQoUDB2sZDXa1HuU= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=K51Z45sT; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf29.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.43 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707556721; a=rsa-sha256; cv=none; b=YW25DQot9ghAfmexZHJu6xHF5dEVKXd/xHNU8YoBJWeiKL2PdPZQKXAkaSFKJb02csMXc/ ZZNqbbhzKegxqFLm8v6R7pStL4xfjffoidiyVYRoBsIa6NedIJpoycNCun67l4t3m3rURm 2gEk45aV6IjgyeuxLBTV3zWqwdsZCxY= Received: by mail-ot1-f43.google.com with SMTP id 46e09a7af769-6e2c393eb8cso998405a34.0 for ; Sat, 10 Feb 2024 01:18:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1707556720; x=1708161520; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=bbrnpouUuffedythjQ6MAxMQbInpAn6Da5zEha5uHkM=; b=K51Z45sTudS3MoxEq51ZMaQ1Mnfk+iKCEY/D7fJxDUO4FGnP9geNHHH7MqjMet1SOk 9Ql3gzbntPzQth4KPyQnFPCOtZQwbsvLfaIUsCsoC5+iupscacYyVIjZA1catmRwjokw BgYONl0bCvkLoyYNuEK2pDV7MYhT/v5/lvPWY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707556720; x=1708161520; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bbrnpouUuffedythjQ6MAxMQbInpAn6Da5zEha5uHkM=; b=aKIwPfhyP7JYsINP5RpBPBwmQjPYo3autLb3IAbMJey6CQcX1D9ODl9etjEkjT3GNZ uKD8+/ycVeaKzlf1zdk+fSnJOGPA36BmT4lG9u9/lvz0XvDqCpFmuj8ZWexNN0NZ0okc CF4kxl/Fa8a7dcMHU2GDI158jZslQDgLDlQws+/Ech6kYbHrIYh31c3LRc/GyDr4ErG5 vcBSIbHxz5Gh2mnu4LTYFePJESZjccOW5Ih3A2Ft2zk5fDt0rFfFFjbuEJPH4Bhx25y2 A4L3Ksi+ZOjETLXtRiBQSysEO9c6zm+lUi4zeiEDF/1IJitrdxdp7J4f+0Iiw1PdBZbi RWLQ== X-Gm-Message-State: AOJu0YwbCuVqYaMPhm7MbpjVMJmI14uN7PWIyZH4LoIv+uvaLoTdZW9f UbbU/FNbnQOZCwBHpSP3FK1kHFbgIlTv9xMdpD9TDRZUepyjr2oYvMoq+lqAIQ== X-Google-Smtp-Source: AGHT+IFU8zPeV6pg7NVco2CspTAljHSeVKcHPF+NDXjD4XLfIycXQY0lkm0Ks2GKd96muoZHBl44nA== X-Received: by 2002:a05:6359:1284:b0:179:2771:69b with SMTP id ix4-20020a056359128400b001792771069bmr2246292rwb.29.1707556720309; Sat, 10 Feb 2024 01:18:40 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCU/6wH648XitzjB85LGagX01IAusIXFXJnajRIaSnCGXOAl9UaxapdT0NhciY0hS7vKCUhnOl5B/Z1sAMozqtUAbQ3KYAM/IcKJl2re4IXgCj7BtZWB/3Ek/G7iOrZkGrFI/ZPEKDnoLRon5FWdwgqp4kT8h6yE1jYEN1gi8Wep+nlSVfGYbXl0Ba7cJMa375/irN7JNO4gAGRxu9QuVd+a8JNTjC5u1hNYc2VbMyUwMgutxUUTKk4/GS7mF8+neQ5OVq2LPDg2bWvmtjnyUTqV0/R4w/OWy3lVTfUIdBuIsHTHODBxAUqwtqBjwlYBWK3UXuW01fPme82bU0ii7KBtoT+nhMsrmh8flW5Kv7MlewGC5XdXRIfKO0IxAQa5khZktkbHJ8nSo269aXM1yM7epFw23hRBInTcI7M+x7Hwkzf09TgHJb08TCggbrtcco8Dj9gpLxtuuYzvYh9IbfqAVQU2p52UBKCgvm1AvhVnTydKVDUa99FCtoZRKDnIXjUrp7ImItIbtQpbV6rXsOhM2Jh9kYQdzqr1CKRU0/ZRbzI1LGI95s53KTl/1ZaUd9Rlq8wG2ImcwG9PWLZQ3ftwIw== Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id h24-20020a62b418000000b006e046085ee8sm1900420pfn.174.2024.02.10.01.18.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Feb 2024 01:18:39 -0800 (PST) From: Kees Cook To: Andy Lutomirski Cc: Kees Cook , Daniel Micay , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Eric Biederman , Brian Gerst , Nikolay Borisov , "Chang S. Bae" , Igor Zhbanov , Rick Edgecombe , Randy Dunlap , linux-mm@kvack.org, John Allen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] x86/vdso: Move vDSO to mmap region Date: Sat, 10 Feb 2024 01:18:35 -0800 Message-Id: <20240210091827.work.233-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5800; i=keescook@chromium.org; h=from:subject:message-id; bh=nWAm4frIQZAHrwq360LYqJ/akdG0MCWYRqawD3LyjJQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlxz9rP8+/kxR495DuBW1sEef72P32z8HT+R5Vn Woz2JQLg2OJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZcc/awAKCRCJcvTf3G3A JsllD/9YCv1Um6OUYhAf13ZdwrqdFcxsN++7IxP2n+M5pIoxSQlB9seD6qdFsUVzMAnZ0FTPHcy 9fNh/VLDCshDtRXNW8aFRCYprO+tzux051VXyF4M/VE2IMmOHUterNIq06F4LAk3nDp+puoosFf DGCyYiuthr5vVkAe7ajMCL1YbYRCdRVFn3RAFfjVwHpZ56h2CydocVDAfIecenVsDK5xkkqsO1N q5lq4bEN8WK5NHnzPHR/e477B2GAvF/WfJ1Awnar1aFcgIhWE2yka1hVnph+d9UgO0yIiUmR3J7 bRjHnys7MriuJp1lBKrgId009NDk7PRh21AAYy/mhSTermyYw0ExscO9RfdJLElH0ah0vT8Oqse 1Qp2jPZYMP7bSVwfw6CqGKMWqDacRiP2/eFh48slUHD3Y4OqP29gRIgFljGKJZltx1OloThX6Xq wl522PgOYOoJHFMss/BLuvZg2TThGsAj0oX7Jz7V+b0FnHp7f71gMAOpcaM19uPkOZ8yvboy9lo GIGbCexBX+rCzb1tOe7q7AUc/HSXIzynmuMHlsIvz0hMZJ8tVy8jKvzGXiaKIBgPTheTuigmsJT pH2ULTuVPMOey2c4o1sGOPGYYdVmoa/wGYiWWaGFBKeFmQPRwnACaTidI5mye1Nm+r2y/ymsyOn FCtaRWJ oThix6Kw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 5467D120002 X-Stat-Signature: 39jty1hur7s99x6gsot1ydfidgdt7zk3 X-Rspam-User: X-HE-Tag: 1707556721-243985 X-HE-Meta: U2FsdGVkX1/qbOTW/Oi26Kpd9usgOHp+JZSq5GMiEw/edS6e/iitSO4K/JnRXfGk61IPqSMs+irWPrtnVlj+QD/9qemxUtf+XCNQl9T86bkXISS05rVzYM/mKNHcLcCHtG2Xw11SBs3MPdlOom+jhZHUQVDXgzhHSA9OgcqKX/WwQyIAGEevuD9bfNm5iqkvVqv0dMqBSGxcgXPQ2iWZOHSToePlnEEnmLuoNBS8Lj8RsdXfPe2EQ2NxS10ylRCUj5jOjGZrQidsKP6UqJpnGtXU5Jf2ix1PuyHJPF/qxlGWSJs10t2W0A2vpLd7ZgzGKcP0MnTTxl4QmdyfFkr5373C9VNdXEoEXDSEEbjVtmPmXbEjWP9LrbAJZJzwB6R/JXGEbNa3fPUS49ywCDoYWcYIlOGblvV8Qvj0hPr6cTnGv6tzwlCGLXgZTlSHDmpD6NpYRi7ap0+feqnp85g4uwi/cx8wQiwjlO2LV4VKk+VbohHuCv0KFqHLuJROKCdFBUa/cIZqrrhSDMBTNcErsbCvwgjwr5J38rydeCZ6Am+t9snBAOhM9ZiI0bP2NtvdJUskIimVNOpLWDdVSE2+RS8Qc0+tf2RXOso/PwmfpCN6hZjCeCTLUerPHK8a9i7TH1zbTN5bFHbqZ6GI6YPSV0qLkxWGv3JdrsPRfMJBv9nac1AOZyM+VwUoG0sFYkK5iPKKQeZkZvi5REx+coZxWinqtIooCkus8oeqnSzB3N2pmZIdmUR3HtJR6o85GnqtHM4aVN+sI+RRIz5AuI44pLSgNvNTVVOAtboI2Ea6kP1ovr8BuDIvWoGrWtDFD+0QdaoOndBZv18G2ui1CxGE1OGWQhlPvn9dTgtzeoyexVZCZ6lh5BJtrdNJAgORi9cQZJmqaMq+m4sc+9iXwcja1sPaeZlTS+z6Yjqaln4GlRgcFc/gt8LXFbxu6kX/oKdw9AjYFLzl5xSsjbUg69h VWBqGelo 6NTSJAWNnnY8pDb+J7/t5e5hvNtugNHNAEjWfCy2to4I1rG9a3qiKcO9+17BWcvjdMBZ0LaK4+i7lld588zUQCPmSbIco5b90OnjkH/EuGDOf1ibJDjRdXL3K72xOLJYrWDNQgYqts9JOqtLpBQWC3wrHes6WZC5a8ZUvJKgT9lfA02aRmrGYLzCD+bJOsHmDa9GG//PD8tuW7yRwlogh/PwHdFMmEfJEhDnrtzTBUAeCniohRy9wx9MenpYRd+xWhAL0FuXpIe1b/kApdCf6lEvvy36E5viIgNMUaRsGIjBH8lOf7XyDCnF2dE5lVcy9LTKDyrIfYOSBvxnYKNEQQ25sJGev1o7oEmm5IaXgZ5reD0ILwtK/epLqrmonsKDW5OPvxEp1Tpf2M69fH8ocat4w9Z7XZ5IKmBbdLM4J5XOZ5yZvGwXVuUSrJ+JPgxQf7DxKbTeKsbvS3ftL8ErdYO78eRxZbh//vTnxa6pKyAQcx+RW/UuYvvScB97S2OH4CyxDtsHCv8xjmThO/fjBPUsvIDjvvSeVNHu/tQEePrE8GyHMJNJ6Ny+4PrEPP8T/I1LWMNuLSQmlpmVCLMODGuTx5as7ioyA7uooAFntZ9ATVIOhXrFRPkgq7a37oIZUwJm7O/RifoQMELtitWv7IG+1hdtqN5+ytRbFo6JqDJiMEMoGrNaVteJCO9kDeydEZFE55t9FpnJwFR/7Pc+k/1yI21IviBbdtl3zBMSNJS+MEt8FrkHez/qkxpCRJb277XvJEdxPz6cPJnhk2YOurP4SqWryyCXrXiySyebR6EiPA2MXHu1r6bldOB5dOYgeTplZKSd3bu+c0pYM9cw+9zJa3KF22jbXzdkOxBGJw//N57ZabXUH7WhJPywds6xodx17X8g3TBxOSGHRKwL/ZMbGgA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Daniel Micay The vDSO (and its initial randomization) was introduced in commit 2aae950b21e4 ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu"), but had very low entropy. The entropy was improved in commit 394f56fe4801 ("x86_64, vdso: Fix the vdso address randomization algorithm"), but there is still improvement to be made. On principle there should not be executable code at a low entropy offset from the stack, since the stack and executable code having separate randomization is part of what makes ASLR stronger. Remove the only executable code near the stack region and give the vDSO the same randomized base as other mmap mappings including the linker and other shared objects. This results in higher entropy being provided and there's little to no advantage in separating this from the existing executable code there. This is already how other architectures like arm64 handle the vDSO. As an side, while it's sensible for userspace to reserve the initial mmap base as a region for executable code with a random gap for other mmap allocations, along with providing randomization within that region, there isn't much the kernel can do to help due to how dynamic linkers load the shared objects. This was extracted from the PaX RANDMMAP feature. Closes: https://github.com/KSPP/linux/issues/280 Cc: Andy Lutomirski Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: x86@kernel.org Cc: "H. Peter Anvin" Cc: Eric Biederman Cc: Brian Gerst Cc: Nikolay Borisov Cc: "Chang S. Bae" Cc: Igor Zhbanov Cc: Rick Edgecombe Cc: Randy Dunlap Cc: linux-mm@kvack.org Signed-off-by: Daniel Micay [kees: updated commit log with historical details and other tweaks] Signed-off-by: Kees Cook --- arch/x86/entry/vdso/vma.c | 57 ++---------------------------------- arch/x86/include/asm/elf.h | 1 - arch/x86/kernel/sys_x86_64.c | 7 ----- 3 files changed, 2 insertions(+), 63 deletions(-) diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c index 7645730dc228..6d83ceb7f1ba 100644 --- a/arch/x86/entry/vdso/vma.c +++ b/arch/x86/entry/vdso/vma.c @@ -274,59 +274,6 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) return ret; } -#ifdef CONFIG_X86_64 -/* - * Put the vdso above the (randomized) stack with another randomized - * offset. This way there is no hole in the middle of address space. - * To save memory make sure it is still in the same PTE as the stack - * top. This doesn't give that many random bits. - * - * Note that this algorithm is imperfect: the distribution of the vdso - * start address within a PMD is biased toward the end. - * - * Only used for the 64-bit and x32 vdsos. - */ -static unsigned long vdso_addr(unsigned long start, unsigned len) -{ - unsigned long addr, end; - unsigned offset; - - /* - * Round up the start address. It can start out unaligned as a result - * of stack start randomization. - */ - start = PAGE_ALIGN(start); - - /* Round the lowest possible end address up to a PMD boundary. */ - end = (start + len + PMD_SIZE - 1) & PMD_MASK; - if (end >= DEFAULT_MAP_WINDOW) - end = DEFAULT_MAP_WINDOW; - end -= len; - - if (end > start) { - offset = get_random_u32_below(((end - start) >> PAGE_SHIFT) + 1); - addr = start + (offset << PAGE_SHIFT); - } else { - addr = start; - } - - /* - * Forcibly align the final address in case we have a hardware - * issue that requires alignment for performance reasons. - */ - addr = align_vdso_addr(addr); - - return addr; -} - -static int map_vdso_randomized(const struct vdso_image *image) -{ - unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); - - return map_vdso(image, addr); -} -#endif - int map_vdso_once(const struct vdso_image *image, unsigned long addr) { struct mm_struct *mm = current->mm; @@ -369,7 +316,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) if (!vdso64_enabled) return 0; - return map_vdso_randomized(&vdso_image_64); + return map_vdso(&vdso_image_64, 0); } #ifdef CONFIG_COMPAT @@ -380,7 +327,7 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm, if (x32) { if (!vdso64_enabled) return 0; - return map_vdso_randomized(&vdso_image_x32); + return map_vdso(&vdso_image_x32, 0); } #endif #ifdef CONFIG_IA32_EMULATION diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 1e16bd5ac781..1fb83d47711f 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -392,5 +392,4 @@ struct va_alignment { } ____cacheline_aligned; extern struct va_alignment va_align; -extern unsigned long align_vdso_addr(unsigned long); #endif /* _ASM_X86_ELF_H */ diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c index c783aeb37dce..cb9fa1d5c66f 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) return va_align.bits & get_align_mask(); } -unsigned long align_vdso_addr(unsigned long addr) -{ - unsigned long align_mask = get_align_mask(); - addr = (addr + align_mask) & ~align_mask; - return addr | get_align_bits(); -} - static int __init control_va_addr_alignment(char *str) { /* guard against enabling this on other CPU families */