paxtest里面对于mmap的测试结果:
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
在 arch/x86/mm/mmap.c 中
static unsigned long mmap_rnd(void)
{
unsigned long rnd = 0;
/*
* 8 bits of randomness in 32bit mmaps, 20 address space bits
* 28 bits of randomness in 64bit mmaps, 40 address space bits
*/
if (current->flags & PF_RANDOMIZE) {
if (mmap_is_ia32())
rnd = get_random_int() % (1<<8);
else
rnd = get_random_int() % (1<<28); /* 实现0~27bit 随机 */
}
return rnd << PAGE_SHIFT; /* rnd左移12bit, 实现bit 12~39 随机 */
}
static unsigned long mmap_base(struct mm_struct *mm)
{
unsigned long gap = rlimit(RLIMIT_STACK);
unsigned long pax_task_size = TASK_SIZE;
#ifdef CONFIG_PAX_SEGMEXEC
if (mm->pax_flags & MF_PAX_SEGMEXEC)
pax_task_size = SEGMEXEC_TASK_SIZE;
#endif
if (gap < MIN_GAP)
gap = MIN_GAP;
else if (gap > MAX_GAP)
gap = MAX_GAP;
return PAGE_ALIGN(pax_task_size - gap - mmap_rnd()); /* 由于调用mmap_rnd()函数,使得mmap_base的bit 12~39 随机 */
}
/*
* This function, called very early during the creation of a new
* process VM image, sets up which VM layout function to use:
*/
void arch_pick_mmap_layout(struct mm_struct *mm)
{
mm->mmap_legacy_base = mmap_legacy_base(mm);
mm->mmap_base = mmap_base(mm);
#ifdef CONFIG_PAX_RANDMMAP
if (mm->pax_flags & MF_PAX_RANDMMAP) {
/* mmap_base 是bit 12~39 随机 , delta_mmap 和 delta_stack都是bit12~38随机,叠加的效果可能造成bit12~40随机 */
mm->mmap_legacy_base += mm->delta_mmap;
mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
}
#endif
if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;
mm->get_unmapped_area = arch_get_unmapped_area;
mm->unmap_area = arch_unmap_area;
} else {
mm->get_unmapped_area = arch_get_unmapped_area_topdown;
mm->unmap_area = arch_unmap_area_topdown;
}
}
阅读(822) | 评论(0) | 转发(0) |
