Re: [PATCH 3/4] powerpc: Reduce ELF_ET_DYN_BASE

From: Kees Cook
Date: Mon Jun 26 2017 - 14:27:10 EST


On Mon, Jun 26, 2017 at 6:04 AM, Michael Ellerman <mpe@xxxxxxxxxxxxxx> wrote:
> Kees Cook <keescook@xxxxxxxxxxxx> writes:
>
>> On Fri, Jun 23, 2017 at 12:01 AM, Michael Ellerman <mpe@xxxxxxxxxxxxxx> wrote:
>>> Kees Cook <keescook@xxxxxxxxxxxx> writes:
>>>
>>>> Now that explicitly executed loaders are loaded in the mmap region,
>>>> position PIE binaries lower in the address space to avoid possible
>>>> collisions with mmap or stack regions. For 64-bit, align to 4GB to
>>>> allow runtimes to use the entire 32-bit address space for 32-bit
>>>> pointers.
>>>
>>> The change log and subject are a bit out of whack with the actual patch
>>> because previously we used 512MB.
>>>
>>> How about?
>>>
>>> powerpc: Move ELF_ET_DYN_BASE to 4GB / 4MB
>>>
>>> Now that explicitly executed loaders are loaded in the mmap region,
>>> we have more freedom to decide where we position PIE binaries in the
>>> address space to avoid possible collisions with mmap or stack regions.
>>>
>>> For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
>>> address space for 32-bit pointers. On 32-bit use 4MB.
>>
>> Good idea, thanks. I'll resend the series with the commit logs updated.
>>
>>> Is there any particular reasoning behind the 4MB value on 32-bit?
>>
>> So, I've dug around a bit on this, and I *think* the rationale is to
>> avoid mapping a possible 4MB page table entry when it won't be using
>> at least a portion near the lower end (NULL address area covered
>> blocked by mmap_min_addr). It seems to be mainly tradition, though.
>
> OK, that is obscure, especially for CPUs that don't have a 4MB page
> size. But consistency across arches is probably best regardless.

Yeah, I like being not "close" to the NULL address, though the
definition of "close" has been various values like 64K (mmap_min_addr)
and 1M (x86 BIOS junk and new stack-gap size). 4MB is above even that,
so, I think we're fine there. It's what Windows has used, so it's
familiar and any new attack methodologies would at least be shared
across OSes and architectures, so we should "notice" any problem with
the value, and then we can adjust it if we need to.

-Kees

--
Kees Cook
Pixel Security