NX-emulation ASLR is predictable

Bug #717412 reported by Kees Cook on 2011-02-11
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned

Bug Description

On 32bit non-PAE systems, the NX-emulation patch causes shared library and executable ASLR to become predictable due to moving the ranges up into the "ASCII Armor" area prefixed with a high byte of "0". This has been observed multiple times. Some discussion is here: http://<email address hidden>/msg00551.html

Trivial demonstration (from http://<email address hidden>/msg00561.html):

$ for i in $(seq 1 1000); do cat /proc/self/maps | grep 'x.*/lib/.*libc'; done | sort | uniq -c | sort -n
...[768 lines of differing addresses]...
      3 00de3000-00f36000 r-xp 00000000 fb:01 130850
/lib/tls/i686/cmov/libc-2.11.1.so
    174 00110000-00263000 r-xp 00000000 fb:01 130850
/lib/tls/i686/cmov/libc-2.11.1.so

Kees Cook (kees) on 2011-02-11
visibility: private → public
Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers