Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch

[Jacob Bachmeyer <jcb62281 () gmail com>]

Steffen Nurpmeso wrote:
> [...]
>
> So if someone says "this  was a source of
> denial‐of‐service attacks" then i need to wrap my head, and it is
> not as if an in-between-the-lines reference to MAP_DENYWRITE ring
> any bells except that i think the flag has been removed.

The manpage indicates that, long ago, a mapping with MAP_DENYWRITE would 
effectively make the underlying file read-only, even to root, for as 
long as the mapping exists.

>   And then
> someone who seems to know uses it nonetheless in a small showcase
> program, likely trying to say even more in-between-the-lines.

That commit message seems to indicate that the program was using 
SHM_HUGETLB when it should have been using MAP_HUGETLB, those constants 
represent different bits, and passing SHM_HUGETLB to mmap(2) will be 
interpreted as MAP_DENYWRITE, and therefore ignored.  Presumably, there 
is some other syscall (likely shmat(2)) that uses that bit (represented 
under the constant SHM_HUGETLB) to request huge pages, and the test 
program in question was supposed to get huge pages from mmap(2) but was 
not actually asking for huge pages because it was using the wrong constant.

In other words, MAP_DENYWRITE was not being intentionally used at all.  
Another constant, for a different set of flags, that happens to have the 
same value, was being used, causing a quiet bug.  (The test program 
would have still worked, but was not actually exercising huge pages as 
intended.)


-- Jacob