lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <69fa6015256613ed10aee996e181ebd4@horotw.com>
Date: Mon, 15 Jan 2024 14:25:24 +0100
From: mail@...otw.com
To: linux-hardening@...r.kernel.org
Subject: Limited/Broken functionality of ASLR for Libs >= 2MB

Hey, I read that ASLR is currently (since kernel >=5.18) broken for 
32bit libs and reduced in effectiveness for 64bit libs... (the issue 
only arises if a lib is over 2MB).
I confirmed this for myself but only for the 64bit case.

I saw that this issue is being tracked by ubuntu 
(https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357).
If this is the wrong place and I should instead report it elsewhere I am 
very sorry.

Sources:
https://zolutal.github.io/aslrnt/  # the page of the original discoverer 
of the bug - as far as I know
https://infosec.exchange/@wdormann/111744168574317113

How I checked that this issue is present (I used bat because it includes 
libcrypto which is a lot bigger than 2MB and not on the edge of 2MB like 
libc):
```python
from subprocess import check_output

def check_bit_usage(cmd):
     res = 0x0
     for _ in range(0, 1000):
         out = check_output(cmd, shell=True).decode()
         base_address = int(out.split("-")[0], 16)
         res |= base_address
     return hex(res)

result = check_bit_usage("cat /proc/self/maps | grep ld-linux | head 
-n1")
print(f"Result for ld-linux (smaller than 2MB): {result}")

result = check_bit_usage("bat /proc/self/maps | grep libcrypto | head 
-n1")
print(f"Result for libcrypto (bigger than 2MB): {result}")
```

Output:
```
Result for ld-linux (smaller than 2MB): 0x7ffffffff000
Result for libcrypto (bigger than 2MB): 0x7fffffe00000
```

This is my first time reporting an issue to the kernel so if anything is 
inappropriate please let me know.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ