QA Regression Testing

Bug #1747630
Comment #6

Comment 6 for bug 1747630

Revision history for this message

Steve Beattie (sbeattie) wrote on 2019-08-06:

Okay, the reason this test (and bug 1717856) fail sporadically is that ASLR in precise for i386 has very low number of random values for vdso and shared library offsets, when ulimits are set such that unlimited stack sizes are allowed:

  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ uname -a
  Linux sec-precise-i386 3.2.0-142-generic #189-Ubuntu SMP Fri Jul 5 18:40:43 UTC 2019 i686 i686 i386 GNU/Linux
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s
  unlimited
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c
     1273 0x40000000
     8662 0x40022000
       65 0x40026000

Yes, all of 3 values, and 86% of the invocations result in one value. The shared library base values are slightly better, but not much:

  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report libs ; done | sort | uniq -c
      499 0x40003d80
      285 0x40016d80
      566 0x40025d80
     7608 0x40038d80
      295 0x4003cd80
      250 0x4003dd80
      167 0x4003ed80
      153 0x4003fd80
      177 0x40040d80

Compare this with the 3.13 results:

  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ uname -a
  Linux sec-trusty-i386 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:41:17 UTC 2019 i686 i686 i686 GNU/Linux
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ ulimit -s
  unlimited
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c | wc -l
  256

(output is piped into wc -l, because there are 256 distinct results.) So 8 bits of randomisation, which is not great, but better than >2.

The tests were added in response to http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html and fixes were applied for the 3.2.0-104.145 kernel.

Yes, all of 3 values, and 86% of the invocations result in one value. The shared library base values are slightly better, but not much:

Compare this with the 3.13 results:

(output is piped into wc -l, because there are 256 distinct results.) So 8 bits of randomisation, which is not great, but better than >2.

The tests were added in response to http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html and fixes were applied for the 3.2.0-104.145 kernel.