oss-sec mailing list archives
Re: PIE bypass using VDSO ASLR weakness
From: Mathias Krause <minipli () googlemail com>
Date: Tue, 9 Dec 2014 20:38:08 +0100
On 9 December 2014 at 16:33, Reno Robert <renorobert () gmail com> wrote:
Hi Daniel, COMPAT_VDSO is not enabled. Just that randomization is 20 bits and same values are generated on repeated execution. On Tue, Dec 9, 2014 at 2:08 PM, Daniel Micay <danielmicay () gmail com> wrote:On 09/12/14 03:05 AM, Reno Robert wrote:Do we need better ASLR for VDSO to make PIE more effective?You must have COMPAT_VDSO enabled. It's randomized fine with a sane kernel configuration.
minipli@jig:~/tmp$ echo 'int main(){}' | gcc -pie -std=c99 -xc - -o pie
minipli@jig:~/tmp$ for i in $(seq 10000); do ldd ./pie; done | grep
vdso | sort | uniq | wc -l
10000
minipli@jig:~/tmp$ uname -rm
3.17.3-grsec+ x86_64
So Daniel's advice seems legit to me. However, sane in this context
would mean CONFIG_PAX_RANDMMAP=y ;)
Regards,
Mathias
Current thread:
- PIE bypass using VDSO ASLR weakness Reno Robert (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Daniel Micay (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Reno Robert (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Martino Dell'Ambrogio (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Mathias Krause (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Daniel Micay (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Reno Robert (Dec 10)
- Re: PIE bypass using VDSO ASLR weakness Hanno Böck (Dec 11)
- Re: PIE bypass using VDSO ASLR weakness Greg KH (Dec 11)
- Re: PIE bypass using VDSO ASLR weakness cve-assign (Dec 26)
- Re: PIE bypass using VDSO ASLR weakness Reno Robert (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Daniel Micay (Dec 09)