本文阐述了 经典的虚拟内存布局 和 易变虚拟内存布局;
-------Gustavo Duarte 他的blog很好看
上图,有图一切都明白了。
flexible memory layout:
classic memory layout:
易变虚拟内存布局就是在各个虚拟内存区中引用随机的偏移量。从而使Hacker很难猜测出函数库,映射文件等等的位置。从而一定程度上使程序得到保护,但是32位系统用户空间的狭小,削弱了这种效果。
我们也可以从这个patch的原作者的mail中得到一些有用的信息:
the goal of the patch is to change the way virtual memory is allocated,
from:
//传统虚拟内存布局
0x08000000 ... binary image
0x08xxxxxx ... brk area, grows upwards
0x40000000 ... start of mmap, new mmaps go after old ones//从1G开始 向上增长,这导致了一个问题,无法完全利用虚拟内存空间。
0xbfxxxxxx ... stack
to a more flexible top-down mmap() method:
//易变虚拟内存布局
0x08000000 ... binary image
0x08xxxxxx ... brk area, grows upwards
0xbfxxxxxx ... _end_ of all mmaps, new mmaps go below old ones//从stack+random offset开始 向下增长,可以用满虚拟内存空间
0xbfyyyyyy ... stack
the new layout has a couple of advantages:
- primarily this layout enables both malloc(), mmap()/shmat() users to
utilize the full address space: 3GB on stock x86, 4GB on x86 4:4 or
x86-64 running x86 apps.
- the new layout is also in essence 'self-tuning' the mmap() and
malloc() limits: no hacks like /proc/PID/mmap_base are needed - both
malloc() and mmap() can grow until all the address space is full.
With the old layout, malloc() space was limited to 900MB, mmap() space
to ~2GB.
- The new layout also allows very large continuous mmap()s because the
'free space' is always a continuous hole (statistically).
- there's also a ~4K pagetable saved per typical process, because we
dont allocate at 1GB anymore and dont fragment the VM that much -
there are only 2 main chunks, the binary image + brk(), and the mmap()
area + stack.
以上为flexible memroy layout 输出结果。可以与上图对比着看一下
内核的/proc文件系统也提供了相应的控制接口,来确定使用哪种虚拟内存布局
from:
//传统虚拟内存布局
0x08000000 ... binary image
0x08xxxxxx ... brk area, grows upwards
0x40000000 ... start of mmap, new mmaps go after old ones//从1G开始 向上增长,这导致了一个问题,无法完全利用虚拟内存空间。
0xbfxxxxxx ... stack
to a more flexible top-down mmap() method:
//易变虚拟内存布局
0x08000000 ... binary image
0x08xxxxxx ... brk area, grows upwards
0xbfxxxxxx ... _end_ of all mmaps, new mmaps go below old ones//从stack+random offset开始 向下增长,可以用满虚拟内存空间
0xbfyyyyyy ... stack
the new layout has a couple of advantages:
- primarily this layout enables both malloc(), mmap()/shmat() users to
utilize the full address space: 3GB on stock x86, 4GB on x86 4:4 or
x86-64 running x86 apps.
- the new layout is also in essence 'self-tuning' the mmap() and
malloc() limits: no hacks like /proc/PID/mmap_base are needed - both
malloc() and mmap() can grow until all the address space is full.
With the old layout, malloc() space was limited to 900MB, mmap() space
to ~2GB.
- The new layout also allows very large continuous mmap()s because the
'free space' is always a continuous hole (statistically).
- there's also a ~4K pagetable saved per typical process, because we
dont allocate at 1GB anymore and dont fragment the VM that much -
there are only 2 main chunks, the binary image + brk(), and the mmap()
area + stack.
- [root@localhost study]# pmap -x 1
- 1: init [3]
- Address Kbytes RSS Dirty Mode Mapping
- 002e7000 4 4 0 r-x-- [ anon ]
- 00469000 104 84 0 r-x-- ld-2.5.so
- 00483000 4 4 4 r-x-- ld-2.5.so
- 00484000 4 4 4 rwx-- ld-2.5.so
- 00487000 1276 356 0 r-x-- libc-2.5.so
- 005c6000 4 0 0 --x-- libc-2.5.so
- 005c7000 8 8 4 r-x-- libc-2.5.so
- 005c9000 4 4 4 rwx-- libc-2.5.so
- 005ca000 12 12 12 rwx-- [ anon ]
- 005f8000 8 8 0 r-x-- libdl-2.5.so
- 005fa000 4 4 4 r-x-- libdl-2.5.so
- 005fb000 4 4 4 rwx-- libdl-2.5.so
- 00638000 88 40 0 r-x-- libselinux.so.1
- 0064e000 8 8 8 rwx-- libselinux.so.1
- 00652000 236 16 0 r-x-- libsepol.so.1
- 0068d000 4 4 4 rwx-- libsepol.so.1
- 0068e000 40 0 0 rwx-- [ anon ]
- 08048000 32 32 0 r-x-- init
- 08050000 4 4 4 rw--- init
- 098db000 132 16 16 rw--- [ anon ]
- b7f32000 8 8 8 rw--- [ anon ]
- bfc07000 84 16 16 rw--- [ stack ]
- -------- ------- ------- ------- -------
- total kB 2072 - - -
- [root@localhost study]# cat /proc/1/maps
- 002e7000-002e8000 r-xp 002e7000 00:00 0 [vdso]
- 00469000-00483000 r-xp 00000000 08:03 1182164 /lib/ld-2.5.so
- 00483000-00484000 r-xp 00019000 08:03 1182164 /lib/ld-2.5.so
- 00484000-00485000 rwxp 0001a000 08:03 1182164 /lib/ld-2.5.so
- 00487000-005c6000 r-xp 00000000 08:03 1182165 /lib/libc-2.5.so
- 005c6000-005c7000 --xp 0013f000 08:03 1182165 /lib/libc-2.5.so
- 005c7000-005c9000 r-xp 0013f000 08:03 1182165 /lib/libc-2.5.so
- 005c9000-005ca000 rwxp 00141000 08:03 1182165 /lib/libc-2.5.so
- 005ca000-005cd000 rwxp 005ca000 00:00 0
- 005f8000-005fa000 r-xp 00000000 08:03 1182169 /lib/libdl-2.5.so
- 005fa000-005fb000 r-xp 00001000 08:03 1182169 /lib/libdl-2.5.so
- 005fb000-005fc000 rwxp 00002000 08:03 1182169 /lib/libdl-2.5.so
- 00638000-0064e000 r-xp 00000000 08:03 1182183 /lib/libselinux.so.1
- 0064e000-00650000 rwxp 00015000 08:03 1182183 /lib/libselinux.so.1
- 00652000-0068d000 r-xp 00000000 08:03 1182182 /lib/libsepol.so.1
- 0068d000-0068e000 rwxp 0003b000 08:03 1182182 /lib/libsepol.so.1
- 0068e000-00698000 rwxp 0068e000 00:00 0
- 08048000-08050000 r-xp 00000000 08:03 884969 /sbin/init
- 08050000-08051000 rw-p 00008000 08:03 884969 /sbin/init
- 098db000-098fc000 rw-p 098db000 00:00 0 [heap]
- b7f32000-b7f34000 rw-p b7f32000 00:00 0
- bfc07000-bfc1c000 rw-p bffea000 00:00 0 [stack]
内核的/proc文件系统也提供了相应的控制接口,来确定使用哪种虚拟内存布局
echo 1 > /proc/sys/vm/legacy_va_layout
1 使用传统虚拟内存布局
0 使用易变虚拟内存布局
扫一扫
77
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
