You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

47 lines
2.5 KiB

  1. 1. Design
  2. The goal of RANDMMAP is to introduce randomness into memory regions handled
  3. by the do_mmap() kernel interface. This includes all file and anonymous
  4. mappings, such as the main executable, libraries, the brk() and mmap()
  5. managed heaps.
  6. Since the brk() managed heap is tied to the main executable and the latter
  7. cannot be randomly remapped without further tricks if it is an ET_EXEC
  8. ELF executable (see RANDEXEC for more details), RANDMMAP handles ET_DYN
  9. ELF executables only. Luckily creating ET_DYN ELF executables is a very
  10. simple process and their randomization is much easier and does not have
  11. the drawbacks of RANDEXEC.
  12. 2. Implementation
  13. All methods of populating the address space of a task are based on the
  14. do_mmap_pgoff() internal kernel function in mm/mmap.c. This function can
  15. establish a mapping at a caller specified address (if the MAP_FIXED flag
  16. is used) or at an address chosen by the kernel. PaX honours the first type
  17. of request and intervenes in the second only.
  18. The core function that chooses a large enough unpopulated region in the
  19. task's address space is arch_get_unmapped_area() in mm/mmap.c. The search
  20. algorithm is simple: the function enumerates all memory mappings from a
  21. given address up (either a user supplied hint or TASK_UNMAPPED_BASE) and
  22. returns the first hole big enough to satisfy the request.
  23. PaX applies randomization (delta_mmap) to TASK_UNMAPPED_BASE in bits 12-27
  24. (16 bits) and ignores the hint for file mappings (unfortunately there is
  25. a 'feature' in linuxthreads where the thread stack mappings do not specify
  26. MAP_FIXED but still expect that behaviour so the hint cannot be overriden
  27. for anonymous mappings). Note that overriding the hint is not a problem as
  28. MAP_FIXED requests are directly satisfied in get_unmapped_area() and never
  29. end up in arch_get_unmapped_area().
  30. There is one more place where RANDMMAP introduces randomness: in the
  31. load_elf_binary() function in fs/binfmt_elf.c. As mentioned already, there
  32. are two ways to randomize the mapping of the main executable: RANDEXEC
  33. for ET_EXEC ELF files and RANDMMAP for ET_DYN ELF files. The latter is
  34. accomplished here by overriding the standard ELF_ET_DYN_BASE address used
  35. for mapping ET_DYN ELF files: PaX chooses the new base at the standard
  36. ET_EXEC base address of 0x08048000 and adds the delta_exec random value
  37. to it. This way the task address space layout will look similar to the
  38. normal ET_EXEC case.