From nobody Tue Jun 27 11:56:48 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qr39555x6z4hf77; Tue, 27 Jun 2023 11:56:57 +0000 (UTC) (envelope-from SRS0=ozBo=CP=klop.ws=ronald-lists@realworks.nl) Received: from smtp-relay-int.realworks.nl (smtp-relay-int.realworks.nl [194.109.157.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qr3950kpKz4LLM; Tue, 27 Jun 2023 11:56:57 +0000 (UTC) (envelope-from SRS0=ozBo=CP=klop.ws=ronald-lists@realworks.nl) Authentication-Results: mx1.freebsd.org; none Date: Tue, 27 Jun 2023 13:56:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=klop.ws; s=rw2; t=1687867008; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LYijmR5hfILmsr8Rpl36j6p2+JVn/fNsrDXPe+0efXs=; b=FILRvWQbSmsBzl6D5z0x5HaoCp20M+JTNKgMHmlKOu1lDx36Fxcd1xp7JP6Q8z7hWzFSo2 8Ed7jNFwHCFk1G9pIfjUlZrxO5EMdtb5kNRz+jP29ZHbiXckWVVlYmDH0z9AeYoWgVhulQ qIqmP0oRpZj4ZcQVCLBNNxfQ0onc2p75NnlhsxN0xXfGQHsKz+3QK/nhyi4JUUFkNN6WtP RS7RdltVyV2QvVc7UtzJxlgy0qPx1+uGsgB+FRte9DTjXtv6UZ/oyJGM4rv2oOcgMZKZiC e7xSdWTUkqm+6ObbA1WE1TI1190YPhnVEIfYX529WN2uur3koQHbJh4S+Udl/A== From: Ronald Klop To: Alan Cox Cc: dev-commits-src-all@FreeBSD.org, src-committers@FreeBSD.org, dev-commits-src-main@FreeBSD.org Message-ID: <1976086601.6443.1687867008855@localhost> In-Reply-To: <202306270443.35R4hofY050812@gitrepo.freebsd.org> References: <202306270443.35R4hofY050812@gitrepo.freebsd.org> Subject: Re: git: d8e6f4946cec - main - vm: Fix anonymous memory clustering under ASLR List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_6442_948850698.1687867008768" X-Mailer: Realworks (659.136) Importance: Normal X-Priority: 3 (Normal) X-Rspamd-Queue-Id: 4Qr3950kpKz4LLM X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3265, ipnet:194.109.0.0/16, country:NL] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N ------=_Part_6442_948850698.1687867008768 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi, Could this be a reason of this issue? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260187 Regards, Ronald. Van: Alan Cox Datum: dinsdag, 27 juni 2023 06:43 Aan: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Onderwerp: git: d8e6f4946cec - main - vm: Fix anonymous memory clustering under ASLR > > The branch main has been updated by alc: > > URL: https://cgit.FreeBSD.org/src/commit/?id=d8e6f4946cec0b84a6997d62e791b8cf993741b2 > > commit d8e6f4946cec0b84a6997d62e791b8cf993741b2 > Author: Alan Cox > AuthorDate: 2023-06-23 17:00:32 +0000 > Commit: Alan Cox > CommitDate: 2023-06-27 04:42:48 +0000 > > vm: Fix anonymous memory clustering under ASLR > > By default, our ASLR implementation is supposed to cluster anonymous > memory allocations, unless the application's mmap(..., MAP_ANON, ...) > call included a non-zero address hint. Unfortunately, clustering > never occurred because kern_mmap() always replaced the given address > hint when it was zero. So, the ASLR implementation always believed > that a non-zero hint had been provided and randomized the mapping's > location in the address space. To fix this problem, I'm pushing down > the point at which we convert a hint of zero to the minimum allocatable > address from kern_mmap() to vm_map_find_min(). > > Reviewed by: kib > MFC after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D40743 > --- > sys/vm/vm_map.c | 10 +++++++--- > sys/vm/vm_map.h | 1 + > sys/vm/vm_mmap.c | 8 +++++--- > 3 files changed, 13 insertions(+), 6 deletions(-) > > diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c > index f5863a9b9939..a02107b5e64d 100644 > --- a/sys/vm/vm_map.c > +++ b/sys/vm/vm_map.c > @@ -1981,14 +1981,14 @@ SYSCTL_INT(_vm, OID_AUTO, cluster_anon, CTLFLAG_RW, > "Cluster anonymous mappings: 0 = no, 1 = yes if no hint, 2 = always"); > > static bool > -clustering_anon_allowed(vm_offset_t addr) > +clustering_anon_allowed(vm_offset_t addr, int cow) > { > > switch (cluster_anon) { > case 0: > return (false); > case 1: > - return (addr == 0); > + return (addr == 0 || (cow & MAP_NO_HINT) != 0); > case 2: > default: > return (true); > @@ -2111,7 +2111,7 @@ vm_map_find(vm_map_t map, vm_object_t object, vm_ooffset_t offset, > } else > alignment = 0; > en_aslr = (map->flags & MAP_ASLR) != 0; > - update_anon = cluster = clustering_anon_allowed(*addr) && > + update_anon = cluster = clustering_anon_allowed(*addr, cow) && > (map->flags & MAP_IS_SUB_MAP) == 0 && max_addr == 0 && > find_space != VMFS_NO_SPACE && object == NULL && > (cow & (MAP_INHERIT_SHARE | MAP_STACK_GROWS_UP | > @@ -2255,6 +2255,10 @@ vm_map_find_min(vm_map_t map, vm_object_t object, vm_ooffset_t offset, > int rv; > > hint = *addr; > + if (hint == 0) > + cow |= MAP_NO_HINT; > + if (hint < min_addr) > + *addr = hint = min_addr; > for (;;) { > rv = vm_map_find(map, object, offset, addr, length, max_addr, > find_space, prot, max, cow); > diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h > index 2ac54a39a57b..fd8b606e8ddc 100644 > --- a/sys/vm/vm_map.h > +++ b/sys/vm/vm_map.h > @@ -383,6 +383,7 @@ long vmspace_resident_count(struct vmspace *vmspace); > #define MAP_CREATE_STACK_GAP_DN 0x00020000 > #define MAP_VN_EXEC 0x00040000 > #define MAP_SPLIT_BOUNDARY_MASK 0x00180000 > +#define MAP_NO_HINT 0x00200000 > > #define MAP_SPLIT_BOUNDARY_SHIFT 19 > > diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c > index 56345fcaf560..408e077476dd 100644 > --- a/sys/vm/vm_mmap.c > +++ b/sys/vm/vm_mmap.c > @@ -353,10 +353,12 @@ kern_mmap(struct thread *td, const struct mmap_req *mrp) > * the hint would fall in the potential heap space, > * place it after the end of the largest possible heap. > * > - * There should really be a pmap call to determine a reasonable > - * location. > + * For anonymous mappings within the address space of the > + * calling process, the absence of a hint is handled at a > + * lower level in order to implement different clustering > + * strategies for ASLR. > */ > - if (addr == 0 || > + if (((flags & MAP_ANON) == 0 && addr == 0) || > (addr >= round_page((vm_offset_t)vms->vm_taddr) && > addr < round_page((vm_offset_t)vms->vm_daddr + > lim_max(td, RLIMIT_DATA)))) > > > > ------=_Part_6442_948850698.1687867008768 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Hi,

Could this be a reason of this issue?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260187

Regards,
Ronald.

 

Van: Alan Cox <alc@FreeBSD.org>
Datum: dinsdag, 27 juni 2023 06:43
Aan: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Onderwerp: git: d8e6f4946cec - main - vm: Fix anonymous memory clustering under ASLR

The branch main has been updated by alc:

URL: https://cgit.FreeBSD.org/src/commit/?id=d8e6f4946cec0b84a6997d62e791b8cf993741b2

commit d8e6f4946cec0b84a6997d62e791b8cf993741b2
Author:     Alan Cox <alc@FreeBSD.org>
AuthorDate: 2023-06-23 17:00:32 +0000
Commit:     Alan Cox <alc@FreeBSD.org>
CommitDate: 2023-06-27 04:42:48 +0000

    vm: Fix anonymous memory clustering under ASLR
    
    By default, our ASLR implementation is supposed to cluster anonymous
    memory allocations, unless the application's mmap(..., MAP_ANON, ...)
    call included a non-zero address hint.  Unfortunately, clustering
    never occurred because kern_mmap() always replaced the given address
    hint when it was zero.  So, the ASLR implementation always believed
    that a non-zero hint had been provided and randomized the mapping's
    location in the address space.  To fix this problem, I'm pushing down
    the point at which we convert a hint of zero to the minimum allocatable
    address from kern_mmap() to vm_map_find_min().
    
    Reviewed by:    kib
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D40743
---
 sys/vm/vm_map.c  | 10 +++++++---
 sys/vm/vm_map.h  |  1 +
 sys/vm/vm_mmap.c |  8 +++++---
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index f5863a9b9939..a02107b5e64d 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -1981,14 +1981,14 @@ SYSCTL_INT(_vm, OID_AUTO, cluster_anon, CTLFLAG_RW,
     "Cluster anonymous mappings: 0 = no, 1 = yes if no hint, 2 = always");
 
 static bool
-clustering_anon_allowed(vm_offset_t addr)
+clustering_anon_allowed(vm_offset_t addr, int cow)
 {
 
    switch (cluster_anon) {
    case 0:
        return (false);
    case 1:
-       return (addr == 0);
+       return (addr == 0 || (cow & MAP_NO_HINT) != 0);
    case 2:
    default:
        return (true);
@@ -2111,7 +2111,7 @@ vm_map_find(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
    } else
        alignment = 0;
    en_aslr = (map->flags & MAP_ASLR) != 0;
-   update_anon = cluster = clustering_anon_allowed(*addr) &&
+   update_anon = cluster = clustering_anon_allowed(*addr, cow) &&
        (map->flags & MAP_IS_SUB_MAP) == 0 && max_addr == 0 &&
        find_space != VMFS_NO_SPACE && object == NULL &&
        (cow & (MAP_INHERIT_SHARE | MAP_STACK_GROWS_UP |
@@ -2255,6 +2255,10 @@ vm_map_find_min(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
    int rv;
 
    hint = *addr;
+   if (hint == 0)
+       cow |= MAP_NO_HINT;
+   if (hint < min_addr)
+       *addr = hint = min_addr;
    for (;;) {
        rv = vm_map_find(map, object, offset, addr, length, max_addr,
            find_space, prot, max, cow);
diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h
index 2ac54a39a57b..fd8b606e8ddc 100644
--- a/sys/vm/vm_map.h
+++ b/sys/vm/vm_map.h
@@ -383,6 +383,7 @@ long vmspace_resident_count(struct vmspace *vmspace);
 #define    MAP_CREATE_STACK_GAP_DN 0x00020000
 #define    MAP_VN_EXEC     0x00040000
 #define    MAP_SPLIT_BOUNDARY_MASK 0x00180000
+#define    MAP_NO_HINT     0x00200000
 
 #define    MAP_SPLIT_BOUNDARY_SHIFT 19
 
diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
index 56345fcaf560..408e077476dd 100644
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@@ -353,10 +353,12 @@ kern_mmap(struct thread *td, const struct mmap_req *mrp)
         * the hint would fall in the potential heap space,
         * place it after the end of the largest possible heap.
         *
-        * There should really be a pmap call to determine a reasonable
-        * location.
+        * For anonymous mappings within the address space of the
+        * calling process, the absence of a hint is handled at a
+        * lower level in order to implement different clustering
+        * strategies for ASLR.
         */
-       if (addr == 0 ||
+       if (((flags & MAP_ANON) == 0 && addr == 0) ||
            (addr >= round_page((vm_offset_t)vms->vm_taddr) &&
            addr < round_page((vm_offset_t)vms->vm_daddr +
            lim_max(td, RLIMIT_DATA))))
 

  ------=_Part_6442_948850698.1687867008768--