From nobody Tue Jun 27 04:43:50 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QqsYL4r6Kz4k3XV; Tue, 27 Jun 2023 04:43:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QqsYL4Ltsz464l; Tue, 27 Jun 2023 04:43:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687841030; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NW10CTEicfp8teh4Sbd0urJPhH7+9IAGRz/cznrSdzg=; b=SAIXjwEQpf2HZspw7trJVWE8aspU3e1I6OepYNNY6I9RaiaHraDAF0A5Nm/WC4181BLgC7 qpOszn69AMLG4BSJ7rrvnzn9wEQStm3ynWAl7c/Vjzf+yS8jCNySNTjTUJqxTWW6mE7tKK Y99Yw0rsMOooLAOF5flv+zwClygYQ3ecU3rKf6TmCC9yIoHnQNYJUyYl/eeMKarjukWR6L 9SaiBYpc7yQYFflw0dxpTBDvLz+HNXQNIhSmqH3V1MbaV7tHa5yZibwI3CpmnaPdgXy32A pXeYPO3dw2AByF99CQ+uHz24A8jjAilUOBo9WwZo/L/eDd88Pve1k4baQwMLPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687841030; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NW10CTEicfp8teh4Sbd0urJPhH7+9IAGRz/cznrSdzg=; b=vkfioRvym/zI+CQ8I1QW8HrdtTt5UIpVJIdlg4XNDRmGZWGO0lphQQy/57VbKZB0X1pjVW qi9e92Q4ihadXOW5GojB4OBh873vf7ii3AcjT6xyce2J4XP5FDIN04BWuy9F3+Oko3upMT 8xnRjtirhWU4IfRGVj8/fws/oZ0ZS43hJ5U4MlAMv7z/vA8+vt478bv0iVDbAa3sFHjZyL JWHtKKyXEUy5oFHldZi9GTKExHn2GQGSZ3uAk7hrHNmAUX0mh13lNa3KpQmLAkjyMzQuSM m7lI6f/1+BqsNMOwYBCX5Z6tyukFvdPm8O+F5H4z8nwsMz5wrpRlbrYVXQVUHA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687841030; a=rsa-sha256; cv=none; b=Y+akLvaRNg2ZwhHnkV+49gL/wTszW2mUStIFAMRYLLJm3SKs3a+LROv6CNkNvGYYQ7qUpL BcPxL1OWlLpnOn2K0tZueOzUW+PgFVPmbFlnLC+mytyMcYEVG1WwQADoBnWPpp2SzXJyCS +43JjTY4LmvgY68ectdYKVWehhJ2qslyRM+WBKrxsx08a0ieuRJZ04usqbO9O+X410elTj KfCffDW9cxKFXJi6qo4QceRe4loi9OQh9NGHI/azLKCsV3QbwvkraUhYy9TgeKS67nQGXt ZL1n1/xn/b3cgt0zmHdfYGfwruru1Uk2DHUR9EhEjTFJh49sjEl0L1BhmwXRPQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QqsYL3QH7zf1V; Tue, 27 Jun 2023 04:43:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35R4hoJI050813; Tue, 27 Jun 2023 04:43:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35R4hofY050812; Tue, 27 Jun 2023 04:43:50 GMT (envelope-from git) Date: Tue, 27 Jun 2023 04:43:50 GMT Message-Id: <202306270443.35R4hofY050812@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alan Cox Subject: git: d8e6f4946cec - main - vm: Fix anonymous memory clustering under ASLR List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: alc X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d8e6f4946cec0b84a6997d62e791b8cf993741b2 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by alc: URL: https://cgit.FreeBSD.org/src/commit/?id=d8e6f4946cec0b84a6997d62e791b8cf993741b2 commit d8e6f4946cec0b84a6997d62e791b8cf993741b2 Author: Alan Cox AuthorDate: 2023-06-23 17:00:32 +0000 Commit: Alan Cox CommitDate: 2023-06-27 04:42:48 +0000 vm: Fix anonymous memory clustering under ASLR By default, our ASLR implementation is supposed to cluster anonymous memory allocations, unless the application's mmap(..., MAP_ANON, ...) call included a non-zero address hint. Unfortunately, clustering never occurred because kern_mmap() always replaced the given address hint when it was zero. So, the ASLR implementation always believed that a non-zero hint had been provided and randomized the mapping's location in the address space. To fix this problem, I'm pushing down the point at which we convert a hint of zero to the minimum allocatable address from kern_mmap() to vm_map_find_min(). Reviewed by: kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D40743 --- sys/vm/vm_map.c | 10 +++++++--- sys/vm/vm_map.h | 1 + sys/vm/vm_mmap.c | 8 +++++--- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index f5863a9b9939..a02107b5e64d 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -1981,14 +1981,14 @@ SYSCTL_INT(_vm, OID_AUTO, cluster_anon, CTLFLAG_RW, "Cluster anonymous mappings: 0 = no, 1 = yes if no hint, 2 = always"); static bool -clustering_anon_allowed(vm_offset_t addr) +clustering_anon_allowed(vm_offset_t addr, int cow) { switch (cluster_anon) { case 0: return (false); case 1: - return (addr == 0); + return (addr == 0 || (cow & MAP_NO_HINT) != 0); case 2: default: return (true); @@ -2111,7 +2111,7 @@ vm_map_find(vm_map_t map, vm_object_t object, vm_ooffset_t offset, } else alignment = 0; en_aslr = (map->flags & MAP_ASLR) != 0; - update_anon = cluster = clustering_anon_allowed(*addr) && + update_anon = cluster = clustering_anon_allowed(*addr, cow) && (map->flags & MAP_IS_SUB_MAP) == 0 && max_addr == 0 && find_space != VMFS_NO_SPACE && object == NULL && (cow & (MAP_INHERIT_SHARE | MAP_STACK_GROWS_UP | @@ -2255,6 +2255,10 @@ vm_map_find_min(vm_map_t map, vm_object_t object, vm_ooffset_t offset, int rv; hint = *addr; + if (hint == 0) + cow |= MAP_NO_HINT; + if (hint < min_addr) + *addr = hint = min_addr; for (;;) { rv = vm_map_find(map, object, offset, addr, length, max_addr, find_space, prot, max, cow); diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h index 2ac54a39a57b..fd8b606e8ddc 100644 --- a/sys/vm/vm_map.h +++ b/sys/vm/vm_map.h @@ -383,6 +383,7 @@ long vmspace_resident_count(struct vmspace *vmspace); #define MAP_CREATE_STACK_GAP_DN 0x00020000 #define MAP_VN_EXEC 0x00040000 #define MAP_SPLIT_BOUNDARY_MASK 0x00180000 +#define MAP_NO_HINT 0x00200000 #define MAP_SPLIT_BOUNDARY_SHIFT 19 diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c index 56345fcaf560..408e077476dd 100644 --- a/sys/vm/vm_mmap.c +++ b/sys/vm/vm_mmap.c @@ -353,10 +353,12 @@ kern_mmap(struct thread *td, const struct mmap_req *mrp) * the hint would fall in the potential heap space, * place it after the end of the largest possible heap. * - * There should really be a pmap call to determine a reasonable - * location. + * For anonymous mappings within the address space of the + * calling process, the absence of a hint is handled at a + * lower level in order to implement different clustering + * strategies for ASLR. */ - if (addr == 0 || + if (((flags & MAP_ANON) == 0 && addr == 0) || (addr >= round_page((vm_offset_t)vms->vm_taddr) && addr < round_page((vm_offset_t)vms->vm_daddr + lim_max(td, RLIMIT_DATA))))