2013/2/27 Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>: > Am 26/02/2013 22:47, schrieb Pawel Dziepak: >> 2013/2/26 Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>: >>> I don't see where you change the size requirements of areas with a >>> randomized start pointer - it might need a page more. >> >> _RandomizeAddress randomizes address with page granularity so that >> there is no reason to adjust the area size. Inside the page >> randomization is only performed in special cases and is not handled >> here (like initial stack pointer randomization from previous commit). > > That's exactly why the size requirements change. If you want to create a 4K > area with a randomized base, you will now most probably need an 8K area. I > wonder why to put that logic into the client if the kernel already supports > randomizing the base (which could be done by the client, too). I decided to implement it in such way that create_area() create area at non-deterministic position, but the size of that area is exactly what the client requested. Any additional (i.e. inside the page) randomization has to be done by the client which knows what it is doing. The reasons for such decision are as follows: 1. If the actual area size could be larger than requested it would create weird situations when growing a heap. Either a space not explicitly allocated would be used or we could not merge two neighboring areas. 2. Ensuring requested alignment in create_area() would become too complicated. The client might request larger than page size alignment (which is OK) but also could request smaller than page alignment and then area would have to be created in such way that it does not share any page with other areas (so effectively a page alignment) and then after randomizing inside the page ensure that smaller than page alignment. 3. The clients may not know what (smaller than page) alignment they require. For example, if they want to prevent false sharing the data should be aligned to cache lines. On current IA32 processors it is usually 64 bytes but may change in the future. 4. Other major uses of non-deterministic create_area(), i.e. runtime_loader and mmap(), require a page alignment. That's pretty much why create_area() does not perform inside the page randomization. You have also suggested that the base could be randomized by the client. That would not be enough for ASLR. When process address space became crowded randomized base address given by the client would be already used, with higher probability, and create_area() would use next free large enough space returning and address not as random as we would expect it to be. Moreover when the area in interval [base address, end] is full then create_area() would fall back to B_ANY_ADDRESS returning deterministic addresses. Paweł