lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <C43F853F-6B54-42DF-AEF2-64B22DAB8A1D@gmail.com>
Date:   Fri, 23 Mar 2018 20:25:15 +0300
From:   Ilya Smith <blackzert@...il.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     rth@...ddle.net, ink@...assic.park.msu.ru, mattst88@...il.com,
        vgupta@...opsys.com, linux@...linux.org.uk, tony.luck@...el.com,
        fenghua.yu@...el.com, jhogan@...nel.org, ralf@...ux-mips.org,
        jejb@...isc-linux.org, Helge Deller <deller@....de>,
        benh@...nel.crashing.org, paulus@...ba.org, mpe@...erman.id.au,
        schwidefsky@...ibm.com, heiko.carstens@...ibm.com,
        ysato@...rs.sourceforge.jp, dalias@...c.org, davem@...emloft.net,
        tglx@...utronix.de, mingo@...hat.com, hpa@...or.com,
        x86@...nel.org, nyc@...omorphy.com, viro@...iv.linux.org.uk,
        arnd@...db.de, gregkh@...uxfoundation.org, deepa.kernel@...il.com,
        mhocko@...e.com, hughd@...gle.com, kstewart@...uxfoundation.org,
        pombredanne@...b.com, steve.capper@....com, punit.agrawal@....com,
        paul.burton@...s.com, aneesh.kumar@...ux.vnet.ibm.com,
        npiggin@...il.com, keescook@...omium.org, bhsharma@...hat.com,
        riel@...hat.com, nitin.m.gupta@...cle.com,
        kirill.shutemov@...ux.intel.com, dan.j.williams@...el.com,
        jack@...e.cz, ross.zwisler@...ux.intel.com, jglisse@...hat.com,
        willy@...radead.org, aarcange@...hat.com, oleg@...hat.com,
        linux-alpha@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-snps-arc@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org, linux-ia64@...r.kernel.org,
        linux-metag@...r.kernel.org, linux-mips@...ux-mips.org,
        linux-parisc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
        linux-s390@...r.kernel.org, linux-sh@...r.kernel.org,
        sparclinux@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [RFC PATCH v2 0/2] Randomization of address chosen by mmap.

Hello, Andrew

Thanks for reading this patch.

> On 22 Mar 2018, at 23:57, Andrew Morton <akpm@...ux-foundation.org> wrote:
> 
> On Thu, 22 Mar 2018 19:36:36 +0300 Ilya Smith <blackzert@...il.com> wrote:
> 
>> Current implementation doesn't randomize address returned by mmap.
>> All the entropy ends with choosing mmap_base_addr at the process
>> creation. After that mmap build very predictable layout of address
>> space. It allows to bypass ASLR in many cases.
> 
> Perhaps some more effort on the problem description would help.  *Are*
> people predicting layouts at present?  What problems does this cause? 
> How are they doing this and are there other approaches to solving the
> problem?
> 
Sorry, I’ve lost it in first version. In short - memory layout could be easily 
repaired by single leakage. Also any Out of Bounds error may easily be 
exploited according to current implementation. All because mmap choose address 
just before previously allocated segment. You can read more about it here: 
http://www.openwall.com/lists/oss-security/2018/02/27/5
Some test are available here https://github.com/blackzert/aslur. 
To solve the problem Kernel should randomize address on any mmap so
attacker could never easily gain needed addresses.

> Mainly: what value does this patchset have to our users?  This reader
> is unable to determine that from the information which you have
> provided.  Full details, please.

The value of this patch is to decrease successful rate of exploitation
vulnerable applications.These could be either remote or local vectors.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ