oss-sec mailing list archives

Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch


From: Florian Weimer <fweimer () redhat com>
Date: Mon, 08 Jul 2024 19:28:02 +0200

* Will Dormann:

 - Modern (e.g. 6.x kernel) x86 platforms load a large-enough libc at
   the same address every time. (i.e. no practical ASLR -- "ASLRn't")

Please note that current glibc is not large enough to benefit from 2 MiB
hugepages because all load segments are smaller than 2 MiB, so it's just
not possible to use hugepages for libc.so.6.  This is with the default
-z separate-code in current binutils.  Even with -z noseparate-code, the
large readable-executable load segment is still a bit less than 2 MiB.
Unfortunately the kernel does not know this when we reserve the address
space for the entirety of libc.so.6.

The kernel should not apply hugepage optimizations to mappings created
with MAP_DENYWRITE.

Thanks,
Florian


Current thread: