Re: [PATCH v3 16/19] x86, kaslr: Randomize physical and virtual address of kernel separately

From: Kees Cook
Date: Tue Mar 08 2016 - 13:24:56 EST


On Mon, Mar 7, 2016 at 9:34 PM, Baoquan He <bhe@xxxxxxxxxx> wrote:
> On 03/07/16 at 03:51pm, Kees Cook wrote:
>> On Fri, Mar 4, 2016 at 8:25 AM, Baoquan He <bhe@xxxxxxxxxx> wrote:
>> > On x86_64, in old kaslr implementaion only physical address of kernel
>> > loading is randomized. Then calculate the delta of physical address
>> > where vmlinux was linked to load and where it is finally loaded. If
>> > delta is not equal to 0, namely there's a new physical address where
>> > kernel is actually decompressed, relocation handling need be done. Then
>> > delta is added to offset of kernel symbol relocation, this makes the
>> > address of kernel text mapping move delta long.
>> >
>> > Here the behavior is changed. Randomize both the physical address
>> > where kernel is decompressed and the virtual address where kernel text
>> > is mapped. And relocation handling only depends on virtual address
>> > randomization. Means if and only if virtual address is randomized to
>> > a different value, we add the delta to the offset of kernel relocs.
>> >
>> > Note that up to now both virtual offset and physical addr randomization
>> > cann't exceed CONFIG_RANDOMIZE_BASE_MAX_OFFSET, namely 1G.
>>
>> It seems like CONFIG_RANDOMIZE_BASE_MAX_OFFSET should have been
>> eliminated when the on-demand page table code was added. Once that was
>> added, there's no physical max any more. And virtual randomization
>> should have no max at all.
> For physically random, yes, CONFIG_RANDOMIZE_BASE_MAX_OFFSET is not
> needed anymore. But for virtually random,
> CONFIG_RANDOMIZE_BASE_MAX_OFFSET is still mandatory since kernel text
> mapping and kernel module mapping share the 2G virtual address space as
> follows. Though kaslr increase kernel text mapping from 512M to 1G, it's
> still limited, can't exceed CONFIG_RANDOMIZE_BASE_MAX_OFFSET.
>
> [0xffffffff80000000, 0xffffffffffffffff]
>
> But now as you suggested, I would like to change
> CONFIG_RANDOMIZE_BASE_MAX_OFFSET to another name because it's only
> valid for virtual randomization. A more specific name is better.

Yes, right, the virtual has a 1G max, but I meant that it doesn't need
to be a CONFIG item any more. Physical can use physical memory max as
its max, and virtual max can now be calculated from the existing text
mapping size.

-Kees

--
Kees Cook
Chrome OS & Brillo Security