oss-security - Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <87y16bdc9p.fsf@oldenburg.str.redhat.com>
Date: Mon, 08 Jul 2024 19:28:02 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Will Dormann <will.dormann@...lygence.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: ASLRn't is still alive and well on x86 kernels,
 despite CVE-2024-26621 patch

* Will Dormann:

>  - Modern (e.g. 6.x kernel) x86 platforms load a large-enough libc at
>    the same address every time. (i.e. no practical ASLR -- "ASLRn't")

Please note that current glibc is not large enough to benefit from 2 MiB
hugepages because all load segments are smaller than 2 MiB, so it's just
not possible to use hugepages for libc.so.6.  This is with the default
-z separate-code in current binutils.  Even with -z noseparate-code, the
large readable-executable load segment is still a bit less than 2 MiB.
Unfortunately the kernel does not know this when we reserve the address
space for the entirety of libc.so.6.

The kernel should not apply hugepage optimizations to mappings created
with MAP_DENYWRITE.

Thanks,
Florian

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.