On Fri, Dec 11, 2015 at 7:14 PM, Andi Kleen <andi@firstfloor.org> wrote:
And I'd argue that this is killing ASLR at a level that it should be
an opt-out rather than opt-in. Crippling ASLR is, IMHO,
unacceptable.
You're arguing then that running 32bit code is unacceptable.
I don't see that that follows.
Right now, 32-bit code has security margin X and 64-bit code has
security margin Y > X. The proposed patch *reduces* the security
margin of 64-bit code from Y to X (give or take). That may be, and
IMHO is, an unacceptable change *even if* X is agreed to be adequate,
or anyway the best that can be done for 32-bit.
Fundamentally, my issue here is that there are people right now
depending on this security margin to be Y, so a glibc upgrade should
not silently remove that. It is a compatibility break of the worst
kind: completely invisible in normal operation, but the system no
longer has a property you were counting on to protect you under
abnormal (adversarial) conditions.