NX-emulation ASLR is predictable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
On 32bit non-PAE systems, the NX-emulation patch causes shared library and executable ASLR to become predictable due to moving the ranges up into the "ASCII Armor" area prefixed with a high byte of "0". This has been observed multiple times. Some discussion is here: http://<email address hidden>
Trivial demonstration (from http://<email address hidden>
$ for i in $(seq 1 1000); do cat /proc/self/maps | grep 'x.*/lib/.*libc'; done | sort | uniq -c | sort -n
...[768 lines of differing addresses]...
3 00de3000-00f36000 r-xp 00000000 fb:01 130850
/lib/tls/
174 00110000-00263000 r-xp 00000000 fb:01 130850
/lib/tls/
visibility: | private → public |
Changed in linux (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |