lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87r5wc4fdk.fsf@basil.nowhere.org>
Date:	Sun, 19 Jul 2009 21:55:19 +0200
From:	Andi Kleen <andi@...stfloor.org>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Athanasius <link@...gy.org>, Julien TINNES <jt@....org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>,
	Tavis Ormandy <taviso@....lonestar.org>,
	Christoph Hellwig <hch@...radead.org>,
	Kees Cook <kees@...ntu.com>, Eugene Teo <eugene@...hat.com>
Subject: Re: [link@...gy.org: Re: [patch 2/8] personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)]

Linus Torvalds <torvalds@...ux-foundation.org> writes:
>
> Other binaries are unhappy with address space randomization because they 
> need to get the absolute maximum contiguous VM space for some big array. 
> Ok, so that's less of an issue in 64-bit mode, but there really are 
> programs out there that link everything statically and want to run at a 
> low virtual address so that they can get 2.5GB of virtual memory for one 
> single big allocation. I've written crap like that myself. I'm not _proud_ 
> of it, but I could easily see that programs like that could be unhappy if 
> the system wiggles mmap's around for security issues.

Another common reason for not supporting randomized mappings is
when the program loads a "core file" that has pointers to data
on each boot, as a faster way to initialize data structures. 
That's common with LISP like languages for example, but even
e.g. gcc's pre compiled headers implementation works like this.

> Because compatibility is always of paramount importance.

If you want to give it a security angle: not supporting 
an old application anymore is a very severe DoS attack
for people using it.

-Andi
-- 
ak@...ux.intel.com -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ