lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 13 Jan 2021 13:24:04 +0200
From:   Topi Miettinen <>
Cc:     Jann Horn <>, Kees Cook <>,
        Matthew Wilcox <>,
        Mike Rapoport <>,
        Linux API <>
Subject: Re: [PATCH v9] mm: Optional full ASLR for mmap(), mremap(), vdso,
 stack and heap

On 4.1.2021 17.53, Topi Miettinen wrote:
> Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
> enables full randomization of memory mappings. With 2, the base of the
> VMA used for such mappings is random, but the mappings are created in
> predictable places within the VMA and in sequential order. With 3, new
> VMAs are created to fully randomize the mappings.
> Mappings created with mmap(NULL, ...) are randomized and mremap(...,
> MREMAP_MAYMOVE) will move the mappings even if not necessary. The
> locations of heap (memory allocated with brk()), stack and vdso are
> also randomized.

It seems that always moving the mappings in mremap() can expose bugs 
where the callers don't actually expect the mappings to move, even 
though MREMAP_MAYMOVE is specified (Debian libapt-pkg6.0):

Perhaps this part should be a separate option to avoid tripping such 
bugs when compatibility is more important than improved ASLR and 
debugging. The option could be also used without randomize_va_space==3. 
How about something like sysctl.kernel.mremap_always_move, 
sysctl.vm.mremap_always_move or CONFIG_MREMAP_ALWAYS_MOVE?


Powered by blists - more mailing lists