info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1024149: linux-image-amd64: 32-bit mmap() puts large files at non-random address
257 views
Skip to first unread message
Jakub Wilk
Nov 15, 2022, 10:30:04 AM11/15/22
to
Package: src:linux
Version: 6.0.8-1
Tags: security
Control: affects -1 + libc6
32-bit mmap() puts large (>= 2 MiB) files at the same address every
time:
$ i686-linux-gnu-gcc -static test-mmap.c -o test-mmap
$ head -c $((2 * 1024 * 1024)) /dev/zero > zeros
$ for i in 1 2 3; do ./test-mmap < zeros; done
mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
In contrast, for smaller files, there's a few bits of entropy in the
address:
$ head -c $((2 * 1024 * 1024 - 4096)) /dev/zero > zeros
$ for i in 1 2 3; do ./test-mmap < zeros; done
mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d4a000
mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7db8000
mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d99000
This weakens ASLR for most(?) programs, because libc.so.6 has recently
become slightly larger than 2 MiB:
$ wc -c /lib/i386-linux-gnu/libc.so.6
2225200 /lib/i386-linux-gnu/libc.so.6
$ for i in 1 2 3; do cat /proc/self/maps | grep ' r-xp .*/libc'; done
f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6
f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6
f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6
Curiously, not all file systems are affected. I could reproduce the bug
on ext4, but not on tmpfs or unionfs.
-- Package-specific info:
** Version:
Linux version 6.0.0-4-amd64 (debian...@lists.debian.org) (gcc-12 (Debian 12.2.0-9) 12.2.0, GNU ld (GNU Binutils for Debian) 2.39) #1 SMP PREEMPT_DYNAMIC Debian 6.0.8-1 (2022-11-11)
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
Architecture: i386 (x86_64)
Foreign Architectures: amd64
--
Jakub Wilk
Version: 6.0.8-1
Tags: security
Control: affects -1 + libc6
32-bit mmap() puts large (>= 2 MiB) files at the same address every
time:
$ i686-linux-gnu-gcc -static test-mmap.c -o test-mmap
$ head -c $((2 * 1024 * 1024)) /dev/zero > zeros
$ for i in 1 2 3; do ./test-mmap < zeros; done
mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
In contrast, for smaller files, there's a few bits of entropy in the
address:
$ head -c $((2 * 1024 * 1024 - 4096)) /dev/zero > zeros
$ for i in 1 2 3; do ./test-mmap < zeros; done
mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d4a000
mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7db8000
mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d99000
This weakens ASLR for most(?) programs, because libc.so.6 has recently
become slightly larger than 2 MiB:
$ wc -c /lib/i386-linux-gnu/libc.so.6
2225200 /lib/i386-linux-gnu/libc.so.6
$ for i in 1 2 3; do cat /proc/self/maps | grep ' r-xp .*/libc'; done
f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6
f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6
f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6
Curiously, not all file systems are affected. I could reproduce the bug
on ext4, but not on tmpfs or unionfs.
-- Package-specific info:
** Version:
Linux version 6.0.0-4-amd64 (debian...@lists.debian.org) (gcc-12 (Debian 12.2.0-9) 12.2.0, GNU ld (GNU Binutils for Debian) 2.39) #1 SMP PREEMPT_DYNAMIC Debian 6.0.8-1 (2022-11-11)
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
Architecture: i386 (x86_64)
Foreign Architectures: amd64
--
Jakub Wilk
Jakub Wilk
Nov 18, 2022, 4:00:04 PM11/18/22
to
I've bisected this; the first bad commit is 1854bc6e24204726
("mm/readahead: Align file mappings for non-DAX").
--
Jakub Wilk
("mm/readahead: Align file mappings for non-DAX").
--
Jakub Wilk
Salvatore Bonaccorso
Nov 19, 2022, 5:20:04 AM11/19/22
to
Hello Jakub,
On Fri, Nov 18, 2022 at 09:53:49PM +0100, Jakub Wilk wrote:
> I've bisected this; the first bad commit is 1854bc6e24204726 ("mm/readahead:
> Align file mappings for non-DAX").
Given you were able to tackle the issue further, can you report the
issue to upstream (and keep this bug in the loop), including to the
memory managment maintainers explicitly William Kucharski
<william....@oracle.com> and Matthew Wilcox (Oracle)
<wi...@infradead.org> as well?
Regards,
Salvatore
On Fri, Nov 18, 2022 at 09:53:49PM +0100, Jakub Wilk wrote:
> I've bisected this; the first bad commit is 1854bc6e24204726 ("mm/readahead:
> Align file mappings for non-DAX").
issue to upstream (and keep this bug in the loop), including to the
memory managment maintainers explicitly William Kucharski
<william....@oracle.com> and Matthew Wilcox (Oracle)
<wi...@infradead.org> as well?
Regards,
Salvatore
Jakub Wilk
Jan 12, 2023, 7:30:03 AM1/12/23
to
* Salvatore Bonaccorso <car...@debian.org>, 2022-11-19 11:11:
--
Jakub Wilk
>Given you were able to tackle the issue further, can you report the
>issue to upstream
Don't count on me. Sorry!
>issue to upstream
--
Jakub Wilk
Salvatore Bonaccorso
Jan 14, 2023, 10:20:04 AM1/14/23
to
Hi Jakub,
Okay thanks for beeing explicit on that. Then I guess it's on our end
to try to get that upstream.
Regards,
Salvatore
to try to get that upstream.
Regards,
Salvatore
Andres Salomon
Jan 12, 2024, 2:30:05 PMJan 12
to
and is written about here:
https://zolutal.github.io/aslrnt/
0 new messages