On 4.1.2021 17.53, Topi Miettinen wrote:
Writing a new value of 3 to /proc/sys/kernel/randomize_va_space
enables full randomization of memory mappings. With 2, the base of the
VMA used for such mappings is random, but the mappings are created in
predictable places within the VMA and in sequential order. With 3, new
VMAs are created to fully randomize the mappings.
Mappings created with mmap(NULL, ...) are randomized and mremap(...,
MREMAP_MAYMOVE) will move the mappings even if not necessary. The
locations of heap (memory allocated with brk()), stack and vdso are
also randomized.
It seems that always moving the mappings in mremap() can expose bugs
where the callers don't actually expect the mappings to move, even
though MREMAP_MAYMOVE is specified (Debian libapt-pkg6.0):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980037
Perhaps this part should be a separate option to avoid tripping such
bugs when compatibility is more important than improved ASLR and
debugging. The option could be also used without randomize_va_space==3.
How about something like sysctl.kernel.mremap_always_move,
sysctl.vm.mremap_always_move or CONFIG_MREMAP_ALWAYS_MOVE?
-Topi
