From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C7B6DC3DA79
	for <linux-mm@archiver.kernel.org>; Mon, 15 Jan 2024 16:43:07 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2DEDD6B006E; Mon, 15 Jan 2024 11:43:07 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 28E456B0071; Mon, 15 Jan 2024 11:43:07 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 17CF26B0072; Mon, 15 Jan 2024 11:43:07 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 07C6B6B006E
	for <linux-mm@kvack.org>; Mon, 15 Jan 2024 11:43:07 -0500 (EST)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id C832AC04BF
	for <linux-mm@kvack.org>; Mon, 15 Jan 2024 16:43:06 +0000 (UTC)
X-FDA: 81682115172.10.884F353
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	by imf18.hostedemail.com (Postfix) with ESMTP id E11821C0014
	for <linux-mm@kvack.org>; Mon, 15 Jan 2024 16:43:04 +0000 (UTC)
Authentication-Results: imf18.hostedemail.com;
	dkim=none;
	spf=pass (imf18.hostedemail.com: domain of sam@gentoo.org designates 140.211.166.183 as permitted sender) smtp.mailfrom=sam@gentoo.org;
	dmarc=pass (policy=none) header.from=gentoo.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705336985; a=rsa-sha256;
	cv=none;
	b=k9DGoXor7SDEmDdJ/0ApFgqWbLeQH1B3riIUdREiTxMeIpuKOGnoJmHK7BR8fqj1By1/Vm
	uxjeeR/vztH5+PAgimIEqvElQvqKL+SOgToGE6VW5eIAXoeoUTtOD3y4mROxuF+QTstyzq
	2kaEQnTh5FWc+1ImWEgIx0ynz09OgbE=
ARC-Authentication-Results: i=1;
	imf18.hostedemail.com;
	dkim=none;
	spf=pass (imf18.hostedemail.com: domain of sam@gentoo.org designates 140.211.166.183 as permitted sender) smtp.mailfrom=sam@gentoo.org;
	dmarc=pass (policy=none) header.from=gentoo.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1705336985;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=EC/GXW8Z8pX6J3710slSKBU0dlx2kf34xcsvYMpPJ98=;
	b=Q33gcNh0ZGjabH7wE+8Udnha91Ia5r9az8KGNGJFH8wawZSst7H3Cm+c8Tt+CwESKfZb9j
	c2gf1i2JF3XNsjpEjQZgFE12VPlI3kdbsbYbXNKnf+A0GTE0lbFbSuDamJQ9Ipwc69fhXo
	8nj9OnU7ggsQv638D4Kqt5HuynFAg88=
References: <69fa6015256613ed10aee996e181ebd4@horotw.com>
User-agent: mu4e 1.10.8; emacs 30.0.50
From: Sam James <sam@gentoo.org>
To: mail@horotw.com
Cc: linux-hardening@vger.kernel.org, Jakub Wilk <jwilk@jwilk.net>, Salvatore
 Bonaccorso <carnil@debian.org>, Linux Memory Management List
 <linux-mm@kvack.org>, William Kucharski <william.kucharski@oracle.com>,
 Matthew Wilcox (Oracle) <willy@infradead.org>
Subject: Re: Limited/Broken functionality of ASLR for Libs >= 2MB
Date: Mon, 15 Jan 2024 16:40:36 +0000
Organization: Gentoo
In-reply-to: <69fa6015256613ed10aee996e181ebd4@horotw.com>
Message-ID: <87il3ur1ik.fsf@gentoo.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Rspam-User: 
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: E11821C0014
X-Stat-Signature: m3ad9gz9irhha6xegimpt5o1tcmzs79t
X-HE-Tag: 1705336984-864522
X-HE-Meta: U2FsdGVkX1/IVG/N8Owhbhot7Q4eJAJ1EpkLUPJOSthH2TrNWd/ZM55L/MrmuW712n1Aas2vTZWS4NOIcx5ShwzZudOg5NiBTzNakn1EZ/FwTnRKyIouRSZCt3n9bhXjTiHSoD2g81RDi9Z4VXpcclsHhRgVvxYjZWRxNW9DRoP5DuJowse6/8I3F8yU5VLBD7W5vjH4VlY89ESX6M3eTxt6DIw/tSoXb7CxThW3ulPNB95Ust3mWQaxhKnME5Go4Lubl9lLHgDIou8eHf+bV+Ok+PvlAHcs5Ee4dWaLi1Wel/o7Bm6RCLWDFdQPL9KMZr4RQWcePceJPcxQS0Plmvy78SX/JF3TaCivoAWoLJmU2x581n0HptDLnSvc9yDXhg+OPiTg5jPNeCZE+xa09Md/ujWzAgy8E/6tX4c+Fb9VO4PsKReGJq/cQUZ1zxwQDDFoy4VqBwfx29Z/ZQCIrNwVn7OjKJIzqlBsmzd6OsclDj8ysdiQJCxRZyhAmhaYDJdAYem5IiKPmRNV/pABQ3gztREvVt/hPmuDpBqioSM7ao0ANcLwGc7Sv+PsMzUNr5iyv2pO1lXgoUNlWdlDUO8SHQYx52ezAdSkdnX0lqb2s08pFk5BlGsHMV2MLoqw1nC7pHE1cOxzxFaeXQsgxT5GyoQ3oog/MlPev9FYj/gyEuFEwL6yHskcWQeK107I/T63U5J5m8d5ofH/fRfwHn2W9dJHDE+FVoWzztUOpsrO9yo2BCMWJWAr02zfgjFFvIyeWm/5GgRsr8OsPmneHRSzyaRd8GOvbhj8lML2u5UfbCIdU4CiQdDqL3Cihurck6pRfQ2aXu4B8J+5ta/zycvdjJ9423c14jHLfor+Jp+DSsTsv1amZis1BqS/8nWXKe/Pi+RsMa6joWpcX2nt8BBZ1EfYsUhFvQmc/6vtzgLS9iERNPeyHoIQnE+v9McCe3qieqJGoJtJyySPYM5
 jtkm/BSI
 XEZVvKc+bEHLqStgLzfX3c5i8TAWSFx3bhx8fF2YSqE48qfa2AAM7+WT5n05shJ5/l8RSNBZ19WZ/uALc5Z1TovIzM8xtsMxeGle+7v6kuWa1q2m4KTUWI/3SZ/iLoPlYHWq2Ap21HaFw3gzPDnB5iXTt7SVPqlJwO6oVFZXBFu9Lg3ejyHnmbQwOYANbV7yIK9377SUcXwfEYBlOfSnOOpoxNudsnWaIPOmLkUCiC1EFmfZA/rApo4g3hoI8X9Frcw0hNHrXb9khkiQ9HV26friMtvdJD2NaE/sk
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>


mail@horotw.com writes:

> Hey, I read that ASLR is currently (since kernel >=5.18) broken for
> 32bit libs and reduced in effectiveness for 64bit libs... (the issue
> only arises if a lib is over 2MB).
> I confirmed this for myself but only for the 64bit case.
>
> I saw that this issue is being tracked by ubuntu
> (https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357).
> If this is the wrong place and I should instead report it elsewhere I
> am very sorry.

See also https://bugs.debian.org/1024149. Unfortunately, I don't
think the issue found its way upstream until now (thanks).

CCing relevant maintainers (per the Debian bug).

>
> Sources:
> https://zolutal.github.io/aslrnt/  # the page of the original
> discoverer of the bug - as far as I know
> https://infosec.exchange/@wdormann/111744168574317113
>
> How I checked that this issue is present (I used bat because it
> includes libcrypto which is a lot bigger than 2MB and not on the edge
> of 2MB like libc):
> ```python
> from subprocess import check_output
>
> def check_bit_usage(cmd):
>     res = 0x0
>     for _ in range(0, 1000):
>         out = check_output(cmd, shell=True).decode()
>         base_address = int(out.split("-")[0], 16)
>         res |= base_address
>     return hex(res)
>
> result = check_bit_usage("cat /proc/self/maps | grep ld-linux | head
> -n1")
> print(f"Result for ld-linux (smaller than 2MB): {result}")
>
> result = check_bit_usage("bat /proc/self/maps | grep libcrypto | head
> -n1")
> print(f"Result for libcrypto (bigger than 2MB): {result}")
> ```
>
> Output:
> ```
> Result for ld-linux (smaller than 2MB): 0x7ffffffff000
> Result for libcrypto (bigger than 2MB): 0x7fffffe00000
> ```
>
> This is my first time reporting an issue to the kernel so if anything
> is inappropriate please let me know.