[haiku-commits] Re: BRANCH pdziepak-github.aslr - src/system/kernel/vm headers/os/kernel
- From: Pawel Dziepak <pdziepak@xxxxxxxxxxx>
- To: haiku-commits@xxxxxxxxxxxxx
- Date: Wed, 27 Feb 2013 18:30:58 +0100
2013/2/27 Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>:
> Am 26/02/2013 22:47, schrieb Pawel Dziepak:
>> 2013/2/26 Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>:
>>> I don't see where you change the size requirements of areas with a
>>> randomized start pointer - it might need a page more.
>>
>> _RandomizeAddress randomizes address with page granularity so that
>> there is no reason to adjust the area size. Inside the page
>> randomization is only performed in special cases and is not handled
>> here (like initial stack pointer randomization from previous commit).
>
> That's exactly why the size requirements change. If you want to create a 4K
> area with a randomized base, you will now most probably need an 8K area. I
> wonder why to put that logic into the client if the kernel already supports
> randomizing the base (which could be done by the client, too).
I decided to implement it in such way that create_area() create area
at non-deterministic position, but the size of that area is exactly
what the client requested. Any additional (i.e. inside the page)
randomization has to be done by the client which knows what it is
doing. The reasons for such decision are as follows:
1. If the actual area size could be larger than requested it would
create weird situations when growing a heap. Either a space not
explicitly allocated would be used or we could not merge two
neighboring areas.
2. Ensuring requested alignment in create_area() would become too
complicated. The client might request larger than page size alignment
(which is OK) but also could request smaller than page alignment and
then area would have to be created in such way that it does not share
any page with other areas (so effectively a page alignment) and then
after randomizing inside the page ensure that smaller than page
alignment.
3. The clients may not know what (smaller than page) alignment they
require. For example, if they want to prevent false sharing the data
should be aligned to cache lines. On current IA32 processors it is
usually 64 bytes but may change in the future.
4. Other major uses of non-deterministic create_area(), i.e.
runtime_loader and mmap(), require a page alignment.
That's pretty much why create_area() does not perform inside the page
randomization. You have also suggested that the base could be
randomized by the client. That would not be enough for ASLR. When
process address space became crowded randomized base address given by
the client would be already used, with higher probability, and
create_area() would use next free large enough space returning and
address not as random as we would expect it to be. Moreover when the
area in interval [base address, end] is full then create_area() would
fall back to B_ANY_ADDRESS returning deterministic addresses.
Paweł
Other related posts:
