Re: amd64: kernel aslr support

[Thomas Klausner <tk%giga.or.at@localhost>]

On Wed, Jan 17, 2018 at 08:01:19AM +0100, Maxime Villard wrote:
> Or, you can dump the location of the segments by loading a kernel module
> that calls the following function
...
> It will give you the addresses of the pages containing the kernel sections.
> Note however that the sections may not start exactly at the printed addresses,
> they are shifted.

Thanks, that worked. I've attached the kernel module I wrote (put it
in src/sys/modules/aslr_test).

Here's the output:

GENERIC:
Segment 0 (text): va=0xffffffff80200000 size=12582912
Segment 1 (rodata): va=0xffffffff80e00000 size=6291456
Segment 2 (data): va=0xffffffff81400000 size=8388608

KASLR, boot 1
Segment 0 (text): va=0xffffffffc3400000 size=2097152
Segment 1 (rodata): va=0xfffffffffa0ec000 size=4096
Segment 2 (rodata): va=0xfffffffff5e00000 size=2097152
Segment 3 (rodata): va=0xffffffffbd800000 size=2097152
Segment 4 (rodata): va=0xffffffff9fb39000 size=4096
Segment 5 (rodata): va=0xffffffffa12a6000 size=4096
Segment 6 (rodata): va=0xffffffffd7872000 size=4096
Segment 7 (rodata): va=0xffffffffe37e2000 size=4096
Segment 8 (rodata): va=0xffffffffa4f15000 size=4096
Segment 9 (rodata): va=0xffffffffcb613000 size=4096
Segment 10 (rodata): va=0xffffffffbf82a000 size=4096
Segment 11 (rodata): va=0xffffffff95414000 size=4096
Segment 12 (rodata): va=0xffffffffbf8f1000 size=4096
Segment 13 (rodata): va=0xffffffffa0fa2000 size=4096
Segment 14 (rodata): va=0xffffffff835b5000 size=4096
Segment 15 (data): va=0xfffffffff8c00000 size=2097152
Segment 16 (data): va=0xffffffff8d000000 size=2097152
Segment 17 (data): va=0xffffffffe3000000 size=2097152
Segment 18 (data): va=0xffffffffa5e00000 size=2097152
Segment 19 (text): va=0xffffffffff800000 size=2097152
Segment 20 (text): va=0xffffffffc3a00000 size=2097152
Segment 21 (text): va=0xffffffff9d400000 size=2097152
Segment 22 (text): va=0xffffffffc3600000 size=2097152
Segment 23 (text): va=0xffffffffca800000 size=2097152
Segment 24 (text): va=0xffffffffe8e00000 size=2097152
Segment 25 (text): va=0xffffffffc5e00000 size=2097152
Segment 26 (text): va=0xfffffffff6a00000 size=2097152
Segment 27 (text): va=0xffffffffec800000 size=2097152
Segment 28 (text): va=0xffffffffc6600000 size=2097152
Segment 29 (text): va=0xffffffff85a00000 size=2097152
Segment 30 (rodata): va=0xffffffffdb000000 size=2097152
Segment 31 (rodata): va=0xfffffffffac00000 size=2097152
Segment 32 (rodata): va=0xffffffff8e600000 size=2097152
Segment 33 (rodata): va=0xffffffffb8400000 size=2097152
Segment 34 (rodata): va=0xffffffff94400000 size=2097152

KASLR, boot 2
Segment 0 (text): va=0xffffffffb7000000 size=2097152
Segment 1 (rodata): va=0xffffffffc1b36000 size=4096
Segment 2 (rodata): va=0xffffffffc7400000 size=2097152
Segment 3 (rodata): va=0xffffffffe7e00000 size=2097152
Segment 4 (rodata): va=0xffffffff93453000 size=4096
Segment 5 (rodata): va=0xffffffffa4260000 size=4096
Segment 6 (rodata): va=0xffffffff862c7000 size=4096
Segment 7 (rodata): va=0xffffffffd8681000 size=4096
Segment 8 (rodata): va=0xffffffffaec34000 size=4096
Segment 9 (rodata): va=0xffffffffdba5e000 size=4096
Segment 10 (rodata): va=0xffffffff8e14c000 size=4096
Segment 11 (rodata): va=0xffffffffb2cbc000 size=4096
Segment 12 (rodata): va=0xffffffffa5a5e000 size=4096
Segment 13 (rodata): va=0xffffffffdc716000 size=4096
Segment 14 (rodata): va=0xffffffff96f8b000 size=4096
Segment 15 (data): va=0xffffffffd1e00000 size=2097152
Segment 16 (data): va=0xffffffffcec00000 size=2097152
Segment 17 (data): va=0xffffffffec400000 size=2097152
Segment 18 (data): va=0xffffffffc3e00000 size=2097152
Segment 19 (text): va=0xffffffff92c00000 size=2097152
Segment 20 (text): va=0xffffffff8c200000 size=2097152
Segment 21 (text): va=0xffffffff9a200000 size=2097152
Segment 22 (text): va=0xffffffffa4600000 size=2097152
Segment 23 (text): va=0xffffffffe9a00000 size=2097152
Segment 24 (text): va=0xffffffffab600000 size=2097152
Segment 25 (text): va=0xffffffffd3c00000 size=2097152
Segment 26 (text): va=0xffffffff83400000 size=2097152
Segment 27 (text): va=0xfffffffff1200000 size=2097152
Segment 28 (text): va=0xffffffffd2400000 size=2097152
Segment 29 (text): va=0xffffffffc9000000 size=2097152
Segment 30 (rodata): va=0xffffffffaf800000 size=2097152
Segment 31 (rodata): va=0xffffffffacc00000 size=2097152
Segment 32 (rodata): va=0xffffffffae600000 size=2097152
Segment 33 (rodata): va=0xfffffffff1600000 size=2097152
Segment 34 (rodata): va=0xffffffffad000000 size=2097152

> > Why does GENERIC_KASLR disable KDTRACE_HOOKS? Is this necessary, or
> > are KDTRACE_HOOKS lowering the security somehow?
> 
> In fact, it's because KDTRACE_HOOKS wants to parse one CTF section; but with
> our implementation we have several of them, and KDTRACE_HOOKS does not
> handle that.

Chuck's patch for better ZFS/DTRACE support includes parsing of
multiple CTF sections, intended for use with kernel modules (so that
each kernel module can include its CTF). Will that be sufficient for
KASLR?

Thanks,
 Thomas

# $NetBSD: Makefile,v 1.1 2016/11/16 00:49:27 pgoyette Exp $

.include "../Makefile.inc"

.PATH:  ${S}/kern

KMOD=		aslr_test
SRCS=		aslr_test.c

.include <bsd.kmodule.mk>

/*	$NetBSD: bufq_priocscan.c,v 1.21 2017/05/04 11:03:27 kamil Exp $	*/

/*-
 * Copyright (c) 2018 Thomas Klausner
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD$");

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/module.h>
#include <uvm/uvm.h>
#include <uvm/uvm_pmap.h>

#define BTSEG_NONE	0
#define BTSEG_TEXT	1
#define BTSEG_RODATA	2
#define BTSEG_DATA	3

static int
aslr_test_init(void)
{
        extern struct bootspace bootspace;
	size_t i;

	const char *names[4] = {
		[BTSEG_NONE] = "none",
		[BTSEG_TEXT] = "text",
		[BTSEG_RODATA] = "rodata",
		[BTSEG_DATA] = "data"
	};

	for (i = 0; i < BTSPACE_NSEGS; i++) {
		if (bootspace.segs[i].type == BTSEG_NONE) {
			continue;
		}
		printf("Segment %zu (%s): va=%p size=%zu\n", i,
		       names[bootspace.segs[i].type],
		       (void *)bootspace.segs[i].va,
		       bootspace.segs[i].sz);
	}
	return 0;
}

static int
aslr_test_fini(void)
{
	return 0;
}

MODULE(MODULE_CLASS_MISC, aslr_test, NULL);

static int
aslr_test_modcmd(modcmd_t cmd, void *opaque)
{

	switch (cmd) {
	case MODULE_CMD_INIT:
		return aslr_test_init();
	case MODULE_CMD_FINI:
		return aslr_test_fini();
	default:
		return ENOTTY;
	}
}