| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Jan 2024 16:52:50 +0000 From: Matthew Wilcox <willy@...radead.org> To: Sam James <sam@...too.org> Cc: mail@...otw.com, linux-hardening@...r.kernel.org, Jakub Wilk <jwilk@...lk.net>, Salvatore Bonaccorso <carnil@...ian.org>, Linux Memory Management List <linux-mm@...ck.org>, William Kucharski <william.kucharski@...cle.com> Subject: Re: Limited/Broken functionality of ASLR for Libs >= 2MB On Mon, Jan 15, 2024 at 04:40:36PM +0000, Sam James wrote: > mail@...otw.com writes: > > Hey, I read that ASLR is currently (since kernel >=5.18) broken for > > 32bit libs and reduced in effectiveness for 64bit libs... (the issue > > only arises if a lib is over 2MB). > > I confirmed this for myself but only for the 64bit case. > > > > I saw that this issue is being tracked by ubuntu > > (https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357). > > If this is the wrong place and I should instead report it elsewhere I > > am very sorry. > > See also https://bugs.debian.org/1024149. Unfortunately, I don't > think the issue found its way upstream until now (thanks). > > CCing relevant maintainers (per the Debian bug). You know, my email address is all over that commit and the doofus who "discovered the vulnerability" didn't even have the courtesy to let me know. I've had several private emails about this over the last few days and I just don't care. Who's running 32-bit code and cares about security? 32-bit kernels are known-vulnerable to all kinds of security problems, and I think this is the least of your worries. This was intended to happen, it's not a surprise.
Powered by blists - more mailing lists