From: Bingwu Zhang <xtex@astrafall.org>

Increase mmap randomization bits on 64-bit from [12,18] to [18,20] for
better strength.

The original default, 12, means that ASLR offset has only (1 << 12) =
4096 possibilities. On average, it can be brute-forced in 2048 attempts.
If a service is configured to restart automatically or can be started
easily (e.g. execve a suid program), then trying for 4k times can be
done in one day even when each attempt takes 20s.
Increasing it to 18 makes brute-force much more difficult and leaves
more time for operators to find out attacks.

On 64-bit platforms, virtual address space is cheap, so the
randomization bits can be increased safely without disturbing userland.

In 1091458d09e1 ("MIPS: Randomize mmap if randomize_va_space is set")
where mmap randomization was first introduced to MIPS, the randomization
range was 256 MiB, equivalent to 16 randomization bits (if 4K page size).
In 109c32ffd89d ("MIPS: Add support for ARCH_MMAP_RND_{COMPAT_}BITS")
where MIPS begin to use ARCH_MMAP_RND_BITS, commit message claimed:
> The minimum(default) for 64bit is 12bits, again with 4k
> pagesize this is the same as the current 256MB.
which is incorrect. (1 << 12) * page_size is 256 MiB only when page size
is 64 KiB, so the strength of mmap randomization was reduced by 4b.

Fixes: 109c32ffd89d ("MIPS: Add support for ARCH_MMAP_RND_{COMPAT_}BITS")
Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
---
 arch/mips/Kconfig | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index e48b62b4dc48..c630dab44419 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -3063,11 +3063,11 @@ config MMU
 	default y
 
 config ARCH_MMAP_RND_BITS_MIN
-	default 12 if 64BIT
-	default 8
-
-config ARCH_MMAP_RND_BITS_MAX
 	default 18 if 64BIT
+	default 8
+
+config ARCH_MMAP_RND_BITS_MAX
+	default 20 if 64BIT
 	default 15
 
 config ARCH_MMAP_RND_COMPAT_BITS_MIN

base-commit: be762d8b6dd7efacb61937d20f8475db8f207655
-- 
2.52.0

On Sun, Mar 29, 2026 at 06:57:39AM +0800, Bingwu Zhang wrote:
> From: Bingwu Zhang <xtex@astrafall.org>
> 
> Increase mmap randomization bits on 64-bit from [12,18] to [18,20] for
> better strength.
> 
> The original default, 12, means that ASLR offset has only (1 << 12) =
> 4096 possibilities. On average, it can be brute-forced in 2048 attempts.
> If a service is configured to restart automatically or can be started
> easily (e.g. execve a suid program), then trying for 4k times can be
> done in one day even when each attempt takes 20s.
> Increasing it to 18 makes brute-force much more difficult and leaves
> more time for operators to find out attacks.
> 
> On 64-bit platforms, virtual address space is cheap, so the
> randomization bits can be increased safely without disturbing userland.
> 
> In 1091458d09e1 ("MIPS: Randomize mmap if randomize_va_space is set")
> where mmap randomization was first introduced to MIPS, the randomization
> range was 256 MiB, equivalent to 16 randomization bits (if 4K page size).
> In 109c32ffd89d ("MIPS: Add support for ARCH_MMAP_RND_{COMPAT_}BITS")
> where MIPS begin to use ARCH_MMAP_RND_BITS, commit message claimed:
> > The minimum(default) for 64bit is 12bits, again with 4k
> > pagesize this is the same as the current 256MB.
> which is incorrect. (1 << 12) * page_size is 256 MiB only when page size
> is 64 KiB, so the strength of mmap randomization was reduced by 4b.
> 
> Fixes: 109c32ffd89d ("MIPS: Add support for ARCH_MMAP_RND_{COMPAT_}BITS")
> Signed-off-by: Bingwu Zhang <xtex@astrafall.org>

I defer to MIPS maintainers, but yeah, let's turn it up if possible.

Reviewed-by: Kees Cook <kees@kernel.org>

-- 
Kees Cook