On Mon, Jun 22, 2020 at 09:46:13AM -0600, Theo de Raadt wrote:
> Christian Weisgerber <na...@mips.inka.de> wrote:
>
> > Paul Irofti:
> >
> > > 683 /* map the process's timekeep page */
> > > 684 if (exec_timekeep_map(pr))
> > > 685 goto free_pack_abort;
> > > 686 /* setup new registers and do misc. setup. */
> > > 687 if (pack.ep_emul->e_fixup != NULL) {
> > > 688 if ((*pack.ep_emul->e_fixup)(p, &pack) != 0)
> > > 689 goto free_pack_abort;
> > > 690 }
> >
> > Yes, with this init(8) gets a proper _timekeep instead of 0x0.
> >
> > For randomization of the userland page...
> >
> > + if (uvm_map(&pr->ps_vmspace->vm_map, &pr->ps_timekeep,
> > round_page(timekeep_sz),
> >
> > ... ps_timekeep need to be 0 here. At the moment, it inherits the
> > value from the parent process in fork().
> >
> > In struct process in sys/proc.h, there is this:
> >
> > /* The following fields are all zeroed upon creation in process_new. */
> > ...
> > /* End area that is zeroed on creation. */
> >
> > If I move
> >
> > vaddr_t ps_timekeep; /* User pointer to timekeep */
> >
> > up into the zeroed area, I get a properly randomized _timekeep in
> > userland.
>
> Right.
>
>
> BTW, why is this important? One could say this does not need to
> be randomized. It has no secret. But a significant downside occurs
> with visible effects.
>
> If that 1 page is always in the same place, then address-space
> randomizated mappings of future objects will not be able to place an
> object over that one page.
>
> The address space is significantly less randomized as soon as it
> contains one fixed object. Less randomized in a severe way impacting
> security.
Fully agree. I am going to send a new diff out with all of these
included.
