On Tue 17-10-17 13:01:04, Kees Cook wrote: > On Tue, Oct 17, 2017 at 2:04 AM, Michal Hocko <mho...@kernel.org> wrote: [...] > > I am not insisting on this patch but it seems to me is just makes a > > recoverable state a failure. > > Right, I understand you're trying to make it recoverable. I'm > suggesting that making it recoverable provides a way for an attack to > abuse it, and that what we'd be recovering from is a case we should > never ever see. > > Consider the case where through some future bug/feature, it's possible > to put the stack at an arbitrary location during an exec. (We've > worked to fix that already, but who knows what the future holds either > through misfeatures or bugs.) If an attacker maps the stack over a > large portion of the PIE exec range, patch 2 will result in vmmap > searching out a location that isn't already allocated. This means that > instead of the PIE ASLR choosing from the entire possible range, it > will get limited to only the area where something isn't already > overlapping. This would give an attacker the ability to control the > PIE ASLR, possibly forcing it into a fixed location.
Yes, I guess I understand that part. What is not clear to me exactly is why this matters as we have the mmap_base randomized and not under the control of the attacker. -- Michal Hocko SUSE Labs