On Thu, Oct 19, 2017 at 4:20 AM, Michal Hocko <[email protected]> wrote: > On Tue 17-10-17 13:01:04, Kees Cook wrote: >> On Tue, Oct 17, 2017 at 2:04 AM, Michal Hocko <[email protected]> wrote: > [...] >> > I am not insisting on this patch but it seems to me is just makes a >> > recoverable state a failure. >> >> Right, I understand you're trying to make it recoverable. I'm >> suggesting that making it recoverable provides a way for an attack to >> abuse it, and that what we'd be recovering from is a case we should >> never ever see. >> >> Consider the case where through some future bug/feature, it's possible >> to put the stack at an arbitrary location during an exec. (We've >> worked to fix that already, but who knows what the future holds either >> through misfeatures or bugs.) If an attacker maps the stack over a >> large portion of the PIE exec range, patch 2 will result in vmmap >> searching out a location that isn't already allocated. This means that >> instead of the PIE ASLR choosing from the entire possible range, it >> will get limited to only the area where something isn't already >> overlapping. This would give an attacker the ability to control the >> PIE ASLR, possibly forcing it into a fixed location. > > Yes, I guess I understand that part. What is not clear to me exactly is > why this matters as we have the mmap_base randomized and not under the > control of the attacker.
mmap_base is separate from the PIE base, so patch 2 would allow for a reduction of the PIE ASLR entropy in the case of a novel overlap attack. -Kees -- Kees Cook Pixel Security
