From: Sam James <sam@gentoo.org>
To: mail@horotw.com
Cc: linux-hardening@vger.kernel.org, Jakub Wilk <jwilk@jwilk.net>,
Salvatore Bonaccorso <carnil@debian.org>,
Linux Memory Management List <linux-mm@kvack.org>,
William Kucharski <william.kucharski@oracle.com>,
Matthew Wilcox (Oracle) <willy@infradead.org>
Subject: Re: Limited/Broken functionality of ASLR for Libs >= 2MB
Date: Mon, 15 Jan 2024 16:40:36 +0000 [thread overview]
Message-ID: <87il3ur1ik.fsf@gentoo.org> (raw)
In-Reply-To: <69fa6015256613ed10aee996e181ebd4@horotw.com>
mail@horotw.com writes:
> Hey, I read that ASLR is currently (since kernel >=5.18) broken for
> 32bit libs and reduced in effectiveness for 64bit libs... (the issue
> only arises if a lib is over 2MB).
> I confirmed this for myself but only for the 64bit case.
>
> I saw that this issue is being tracked by ubuntu
> (https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357).
> If this is the wrong place and I should instead report it elsewhere I
> am very sorry.
See also https://bugs.debian.org/1024149. Unfortunately, I don't
think the issue found its way upstream until now (thanks).
CCing relevant maintainers (per the Debian bug).
>
> Sources:
> https://zolutal.github.io/aslrnt/ # the page of the original
> discoverer of the bug - as far as I know
> https://infosec.exchange/@wdormann/111744168574317113
>
> How I checked that this issue is present (I used bat because it
> includes libcrypto which is a lot bigger than 2MB and not on the edge
> of 2MB like libc):
> ```python
> from subprocess import check_output
>
> def check_bit_usage(cmd):
> res = 0x0
> for _ in range(0, 1000):
> out = check_output(cmd, shell=True).decode()
> base_address = int(out.split("-")[0], 16)
> res |= base_address
> return hex(res)
>
> result = check_bit_usage("cat /proc/self/maps | grep ld-linux | head
> -n1")
> print(f"Result for ld-linux (smaller than 2MB): {result}")
>
> result = check_bit_usage("bat /proc/self/maps | grep libcrypto | head
> -n1")
> print(f"Result for libcrypto (bigger than 2MB): {result}")
> ```
>
> Output:
> ```
> Result for ld-linux (smaller than 2MB): 0x7ffffffff000
> Result for libcrypto (bigger than 2MB): 0x7fffffe00000
> ```
>
> This is my first time reporting an issue to the kernel so if anything
> is inappropriate please let me know.
next prev parent reply other threads:[~2024-01-15 16:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-15 13:25 Limited/Broken functionality of ASLR for Libs >= 2MB mail
2024-01-15 16:40 ` Sam James [this message]
2024-01-15 16:52 ` Matthew Wilcox
2024-01-15 18:21 ` mail
2024-01-15 20:46 ` Matthew Wilcox
2024-01-16 8:09 ` Ard Biesheuvel
2024-01-16 8:09 ` Ard Biesheuvel
2024-01-23 22:35 ` Kees Cook
2024-01-23 22:35 ` Kees Cook
2024-01-24 1:04 ` Yang Shi
2024-01-24 1:04 ` Yang Shi
2024-01-24 16:08 ` Kees Cook
2024-01-24 16:08 ` Kees Cook
2024-01-22 9:48 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87il3ur1ik.fsf@gentoo.org \
--to=sam@gentoo.org \
--cc=carnil@debian.org \
--cc=jwilk@jwilk.net \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mail@horotw.com \
--cc=william.kucharski@oracle.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.