Package: src:linux Version: 6.0.8-1 Tags: security Control: affects -1 + libc6
32-bit mmap() puts large (>= 2 MiB) files at the same address every time: $ i686-linux-gnu-gcc -static test-mmap.c -o test-mmap $ head -c $((2 * 1024 * 1024)) /dev/zero > zeros $ for i in 1 2 3; do ./test-mmap < zeros; done mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000 mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000 mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000 In contrast, for smaller files, there's a few bits of entropy in the address: $ head -c $((2 * 1024 * 1024 - 4096)) /dev/zero > zeros $ for i in 1 2 3; do ./test-mmap < zeros; done mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d4a000 mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7db8000 mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d99000 This weakens ASLR for most(?) programs, because libc.so.6 has recently become slightly larger than 2 MiB: $ wc -c /lib/i386-linux-gnu/libc.so.6 2225200 /lib/i386-linux-gnu/libc.so.6 $ for i in 1 2 3; do cat /proc/self/maps | grep ' r-xp .*/libc'; done f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6 f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6 f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068 /lib/i386-linux-gnu/libc.so.6 Curiously, not all file systems are affected. I could reproduce the bug on ext4, but not on tmpfs or unionfs. -- Package-specific info: ** Version: Linux version 6.0.0-4-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-9) 12.2.0, GNU ld (GNU Binutils for Debian) 2.39) #1 SMP PREEMPT_DYNAMIC Debian 6.0.8-1 (2022-11-11) -- System Information: Debian Release: bookworm/sid APT prefers unstable Architecture: i386 (x86_64) Foreign Architectures: amd64 -- Jakub Wilk