Okay, the reason this test (and bug 1717856) fail sporadically is that ASLR in precise for i386 has very low number of random values for vdso and shared library offsets, when ulimits are set such that unlimited stack sizes are allowed:
ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ uname -a
Linux sec-precise-i386 3.2.0-142-generic #189-Ubuntu SMP Fri Jul 5 18:40:43 UTC 2019 i686 i686 i386 GNU/Linux
ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s
unlimited
ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c
1273 0x40000000
8662 0x40022000
65 0x40026000
Yes, all of 3 values, and 86% of the invocations result in one value. The shared library base values are slightly better, but not much:
Okay, the reason this test (and bug 1717856) fail sporadically is that ASLR in precise for i386 has very low number of random values for vdso and shared library offsets, when ulimits are set such that unlimited stack sizes are allowed:
ubuntu@ sec-precise- i386:~/ tests/qrt- test-kernel- security$ uname -a sec-precise- i386:~/ tests/qrt- test-kernel- security$ ulimit -s unlimited sec-precise- i386:~/ tests/qrt- test-kernel- security$ ulimit -s sec-precise- i386:~/ tests/qrt- test-kernel- security$ for ((i=0; i<10000; i++)) ; do ./kernel- security/ aslr/aslr --report vdso ; done | sort | uniq -c
Linux sec-precise-i386 3.2.0-142-generic #189-Ubuntu SMP Fri Jul 5 18:40:43 UTC 2019 i686 i686 i386 GNU/Linux
ubuntu@
ubuntu@
unlimited
ubuntu@
1273 0x40000000
8662 0x40022000
65 0x40026000
Yes, all of 3 values, and 86% of the invocations result in one value. The shared library base values are slightly better, but not much:
ubuntu@ sec-precise- i386:~/ tests/qrt- test-kernel- security$ for ((i=0; i<10000; i++)) ; do ./kernel- security/ aslr/aslr --report libs ; done | sort | uniq -c
499 0x40003d80
285 0x40016d80
566 0x40025d80
7608 0x40038d80
295 0x4003cd80
250 0x4003dd80
167 0x4003ed80
153 0x4003fd80
177 0x40040d80
Compare this with the 3.13 results:
ubuntu@ sec-trusty- i386:~/ tests/qrt- test-kernel- security$ uname -a sec-trusty- i386:~/ tests/qrt- test-kernel- security$ ulimit -s unlimited sec-trusty- i386:~/ tests/qrt- test-kernel- security$ ulimit -s sec-trusty- i386:~/ tests/qrt- test-kernel- security$ for ((i=0; i<10000; i++)) ; do ./kernel- security/ aslr/aslr --report vdso ; done | sort | uniq -c | wc -l
Linux sec-trusty-i386 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:41:17 UTC 2019 i686 i686 i686 GNU/Linux
ubuntu@
ubuntu@
unlimited
ubuntu@
256
(output is piped into wc -l, because there are 256 distinct results.) So 8 bits of randomisation, which is not great, but better than >2.
The tests were added in response to http:// hmarco. org/bugs/ CVE-2016- 3672-Unlimiting -the-stack- not-longer- disables- ASLR.html and fixes were applied for the 3.2.0-104.145 kernel.