Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6691E39C.8090600@gmail.com>
Date: Fri, 12 Jul 2024 21:17:00 -0500
From: Jacob Bachmeyer <jcb62281@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: ASLRn't is still alive and well on x86 kernels,
 despite CVE-2024-26621 patch

Steffen Nurpmeso wrote:
> [...]
>
> So if someone says "this  was a source of
> denial‐of‐service attacks" then i need to wrap my head, and it is
> not as if an in-between-the-lines reference to MAP_DENYWRITE ring
> any bells except that i think the flag has been removed.

The manpage indicates that, long ago, a mapping with MAP_DENYWRITE would 
effectively make the underlying file read-only, even to root, for as 
long as the mapping exists.

>   And then
> someone who seems to know uses it nonetheless in a small showcase
> program, likely trying to say even more in-between-the-lines.

That commit message seems to indicate that the program was using 
SHM_HUGETLB when it should have been using MAP_HUGETLB, those constants 
represent different bits, and passing SHM_HUGETLB to mmap(2) will be 
interpreted as MAP_DENYWRITE, and therefore ignored.  Presumably, there 
is some other syscall (likely shmat(2)) that uses that bit (represented 
under the constant SHM_HUGETLB) to request huge pages, and the test 
program in question was supposed to get huge pages from mmap(2) but was 
not actually asking for huge pages because it was using the wrong constant.

In other words, MAP_DENYWRITE was not being intentionally used at all.  
Another constant, for a different set of flags, that happens to have the 
same value, was being used, causing a quiet bug.  (The test program 
would have still worked, but was not actually exercising huge pages as 
intended.)


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.