* Roland McGrath <roland(a)redhat.com> wrote:
I hope to manage to cajole Ingo into either upstreaming or punting
thing, the different arch_get_unmapped_area algorithm used for PROT_EXEC
mappings. I can't tell if it's actually of any use when we're not using the
segmentation hack or not. If it is, some version of it belongs upstream.
Even not considering the segmentation based protection, it's useful (on
32-bit) because it compresses executable mappings into an address space region
where all 32-bit addresses have a zero byte in them.
This adds one more complication to exploits - for example ASCII string
overflow based exploits (which cannot have a end-of-string zero byte in them)
will have to work harder to generate an address into that address range. (Some
may even be prevented altogether - although it's usually rather hard to
disprove the exploitability of overflow bugs.)
But upstream mm/ maintainers expressed a thundering disinterest in these kinds
of changes, and the segmentation based trick was explicitly nak-ed IIRC.