922459 – Weakened ASLR on 64-bit systems and non-existent ASLR on 32-bit systems

Bug 922459 - Weakened ASLR on 64-bit systems and non-existent ASLR on 32-bit systems

Summary: Weakened ASLR on 64-bit systems and non-existent ASLR on 32-bit systems

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://zolutal.github.io/aslrnt/
Whiteboard:	A4 [ebuild/upstream]
Keywords:

Depends on:
Blocks:

Reported:	2024-01-19 08:09 UTC by Sam James
Modified:	2024-01-29 15:05 UTC (History)
CC List:	5 users (show)

See Also:	https://github.com/llvm/llvm-project/issues/78354 https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/20 https://github.com/google/sanitizers/issues/1716 https://github.com/llvm/llvm-project/pull/78351 https://github.com/google/sanitizers/issues/1614 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113430 https://launchpad.net/bugs/1983357 https://bugs.debian.org/1024149 https://reviews.llvm.org/D148280 https://reviews.llvm.org/D148193
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-01-19 08:09:26 UTC

See the following links:
* https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357
* https://bugs.debian.org/1024149
* https://zolutal.github.io/aslrnt/
* https://lore.kernel.org/linux-mm/ZaVi4ij0jgEz+isx@casper.infradead.org/T/#t

Note that Arch applied config changes (https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/20) which ended up breaking ASAN (https://gcc.gnu.org/PR113430) and MSAN (https://github.com/llvm/llvm-project/issues/78354).

Comment 1 Hans de Graaff gentoo-dev

2024-01-20 09:00:21 UTC

I've set the whiteboard to A4 given that we have an affected kernel (6.1) stable and no real information on which kernels are actually used on Gentoo systems (A) and opted for (4) since this issue in itself weakens security but is not a security issue by itself (if I understand it correctly). Feel free to make changes.

Comment 2 Sam James archtester

2024-01-26 16:36:21 UTC

Huh, there might be another, separate issue in just >=6.7 too: https://lore.kernel.org/linux-mm/ZbOOn0hrKQ_ojM2K@tiehlicka/T/.

(also CCing kernel which I meant to do before.)

Comment 3 Sam James archtester

2024-01-29 15:05:27 UTC

(In reply to Sam James from comment #2)
> Huh, there might be another, separate issue in just >=6.7 too:
> https://lore.kernel.org/linux-mm/ZbOOn0hrKQ_ojM2K@tiehlicka/T/.
> 
> (also CCing kernel which I meant to do before.)

actually, maybe it's fixed by this? https://lore.kernel.org/linux-mm/ZaVi4ij0jgEz+isx@casper.infradead.org/T/#m3ea8977a2aa5bb3f73caff6932de1beef70d050c