exec-shield=2
Kees Cook
kees at ubuntu.com
Tue Jul 13 23:39:34 UTC 2010
Hi,
On Fri, Jul 09, 2010 at 02:03:26PM -0700, Roland McGrath wrote:
> and Fedora. I figure that eventually some Fedora release cycle will stop
> supporting non-PAE hardware anyway and/or officially just not care about
> maximal exploit mitigation for non-PAE or ancient hardware. So one day
> we'll just drop that patch.
Yeah, Ubuntu is in a similar situation, but I fear it's still several years
out.
It seems like the patches you've got still don't have the brk collision
fix I sent[1] a while back? (Looks like the va_randomize fix was done,
though.)
Also, it looks like the ASLR is seriously flawed. In actual testing, the
ASLR in this patch set is extremely predictable due to how it does the
reordering, which actually reduces its entropy. :( I haven't worked out a
good way to fix it yet, though, but I suspect doing a base offset like is
done in mainline is the way to go, though the range is so tiny, I'm not
sure how to best deal with it. Maybe wrap around in the SHLIB_BASE through
0x08000000 range? Anyway, running "ldd $(which mysql)" 1000 times
sometimes shows libc in the same place almost 500 of those times.
Regardless, having a branch rebased on upstream linux would be nice. I've
got one here at the moment:
http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/nx-emu
It looks like you've added a few more CONFIG_X86_32 checks, but not as many
as I've got still. Have you got any feedback on the patches I'm carrying
here?
Thanks,
-Kees
[1] first hunk of http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-maverick.git;a=commitdiff;h=07c4182e1f32e59da7cbc8dde3aff1c8479dad62
--
Kees Cook
Ubuntu Security Team
More information about the kernel
mailing list