On Mon, Mar 02, 2015 at 04:19:47PM -0800, Kees Cook wrote:
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 248d99cabaa8..e2f0ef9c6ee3 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -1,7 +1,6 @@
> config ARM
> bool
> default y
> - select ARCH_BINFMT_ELF_RAN
On Wed, 2015-03-04 at 13:13 -0800, Kees Cook wrote:
>
> I had a question in the powerpc-specific change that may have gone unnoticed:
>
> Can mmap ASLR be safely enabled in the legacy mmap case here? Other archs
> use "mm->mmap_base = TASK_UNMAPPED_BASE + random_factor".
>
> Separate from this s
On Tue, Mar 3, 2015 at 8:16 PM, Michael Ellerman wrote:
> On Mon, 2015-03-02 at 16:19 -0800, Kees Cook wrote:
>> This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
>> powerpc, and x86. The problem is that if there is a leak of ASLR from
>> the executable (ET_DYN), it means a leak o
On Mon, 2015-03-02 at 16:19 -0800, Kees Cook wrote:
> This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
> powerpc, and x86. The problem is that if there is a leak of ASLR from
> the executable (ET_DYN), it means a leak of shared library offset as
> well (mmap), and vice versa. Furt
This fixes the "offset2lib" weakness in ASLR for arm, arm64, mips,
powerpc, and x86. The problem is that if there is a leak of ASLR from
the executable (ET_DYN), it means a leak of shared library offset as
well (mmap), and vice versa. Further details and a PoC of this attack
are available here:
htt
This moves arch_mmap_rnd() into the ELF loader for handling ET_DYN ASLR
in a separate region from mmap ASLR, as already done on s390. Removes
CONFIG_BINFMT_ELF_RANDOMIZE_PIE.
Reported-by: Hector Marco-Gisbert
Signed-off-by: Kees Cook
---
arch/arm/Kconfig| 1 -
arch/arm64/Kconfig
