Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch

[Will Dormann <will.dormann () analygence com>]

On 7/8/24 12:37 PM, Will Dormann wrote:
>   - Modern (e.g. 6.x kernel) x86 platforms load a large-enough libc at 
> the same address every time. (i.e. no practical ASLR -- "ASLRn't")
>   -  Modern (e.g. 6.x kernel and large-enough libc) x86_64 platforms 
> running 32-bit code will load a large-enough library at the same address 
> every time.
>   - Modern x86_64 systems with the CVE-2024-26621 patch will randomize 
> the load address of large libraries loaded by 32-bit apps.
>   - Modern x86 systems with the CVE-2024-26621 patch will NOT ranzomize 
> the load address of large libraries.  (i.e. is still vulnerable to 
> "ASLRn't" despite the patch)
>   - Older Linux (5.x and earlier) randomize loaded libraries as expected.


And just to clarify on my use of terminology in the list above:

When I say "x86" {systems,platforms}, I mean a 32-bit Linux distribution 
with an i386/i686 kernel and associated userland binaries.  This may be 
virtualized on a x86_64 CPU, or emulated (in my case) on a 32-bit x86 CPU.

When I say "x86_64" {systems,platforms}, I'm referring to a common 
x86_64 64-bit Linux distro.  And on such a distro, you can run 32-bit 
code if you like.  In my case, I compiled test-mmap.c as a 32-bit app by 
installing gcc-multilib and compiling with gcc -m32.


IOW, "x86" as I use it is 32-bit Linux.  "x86_64" is 64-bit Linux.




-WD