[PATCH v2 0/4] Improved ASLR

Rich Felker dalias@libc.org
Wed Dec 2 23:09:38 GMT 2020 

On Sat, Nov 28, 2020 at 01:59:41PM +0200, Topi Miettinen via Libc-alpha wrote:
> Problem with using sbrk() for allocations is that the location of the
> memory is relatively predicatable since it's always located next to
> data segment. This series makes the tunables system, malloc() and TCB
> use mmap() instead, except when instructed by tunable
> glibc.malloc.use_sbrk.

The above description is contrary to present reality on Linux. With
kernel.randomize_va_space=2 (default), the brk area starts at a
randomize gap above end of data/bss. This is *stronger* ASLR than
mmap, which aside from the initial gap, generally appears just below
the previous map and thereby at a predictable offset from an anchor in
a shared library.

Rich


> In this version, mmap() is also used for temporary storage for
> tunables environment variable. Since the tunable to select using
> sbrk() is unavailable at that point of time, mmap() is always
> used. mmap() and mmap_noerrno() (other functions use this suffix) have
> been refactored (Adhemerval Zanella), there's also a version for Hurd.
> 
> Topi Miettinen (4):
>   csu: randomize location of TCB
>   malloc: use mmap() to improve ASLR
>   dl-sysdep: disable remaining calls to sbrk()
>   tunables: use mmap() instead of sbrk()
> 
>  csu/libc-tls.c                               | 40 ++++++++++++++++----
>  elf/dl-sysdep.c                              | 11 +++++-
>  elf/dl-tunables.c                            |  9 +++--
>  elf/dl-tunables.list                         |  7 ++++
>  include/sys/mman.h                           |  5 +++
>  malloc/arena.c                               | 11 +++++-
>  malloc/morecore.c                            | 10 +++++
>  manual/tunables.texi                         |  5 +++
>  sysdeps/mach/hurd/dl-sysdep.c                | 18 +++++++--
>  sysdeps/unix/sysv/linux/dl-sysdep.c          | 10 +++++
>  sysdeps/unix/sysv/linux/mmap.c               | 30 ++++++++++++---
>  sysdeps/unix/sysv/linux/mmap64.c             | 23 ++++++++---
>  sysdeps/unix/sysv/linux/mmap_internal.h      |  2 +-
>  sysdeps/unix/sysv/linux/s390/mmap_internal.h |  2 +-
>  14 files changed, 154 insertions(+), 29 deletions(-)
> 
> 
> base-commit: aa69f19a937b679816ef10e8620ea1141bb1734b
> -- 
> 2.29.2

More information about the Libc-alpha mailing list