[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <69fa6015256613ed10aee996e181ebd4@horotw.com>
Date: Mon, 15 Jan 2024 14:25:24 +0100
From: mail@...otw.com
To: linux-hardening@...r.kernel.org
Subject: Limited/Broken functionality of ASLR for Libs >= 2MB
Hey, I read that ASLR is currently (since kernel >=5.18) broken for
32bit libs and reduced in effectiveness for 64bit libs... (the issue
only arises if a lib is over 2MB).
I confirmed this for myself but only for the 64bit case.
I saw that this issue is being tracked by ubuntu
(https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357).
If this is the wrong place and I should instead report it elsewhere I am
very sorry.
Sources:
https://zolutal.github.io/aslrnt/ # the page of the original discoverer
of the bug - as far as I know
https://infosec.exchange/@wdormann/111744168574317113
How I checked that this issue is present (I used bat because it includes
libcrypto which is a lot bigger than 2MB and not on the edge of 2MB like
libc):
```python
from subprocess import check_output
def check_bit_usage(cmd):
res = 0x0
for _ in range(0, 1000):
out = check_output(cmd, shell=True).decode()
base_address = int(out.split("-")[0], 16)
res |= base_address
return hex(res)
result = check_bit_usage("cat /proc/self/maps | grep ld-linux | head
-n1")
print(f"Result for ld-linux (smaller than 2MB): {result}")
result = check_bit_usage("bat /proc/self/maps | grep libcrypto | head
-n1")
print(f"Result for libcrypto (bigger than 2MB): {result}")
```
Output:
```
Result for ld-linux (smaller than 2MB): 0x7ffffffff000
Result for libcrypto (bigger than 2MB): 0x7fffffe00000
```
This is my first time reporting an issue to the kernel so if anything is
inappropriate please let me know.
Powered by blists - more mailing lists