On Mon, Aug 7, 2017 at 12:40 PM, Kostya Serebryany <kcc@xxxxxxxxxx> wrote: > > > On Mon, Aug 7, 2017 at 12:34 PM, Kees Cook <keescook@xxxxxxxxxx> wrote: >> >> (To be clear, this subthread is for dealing with _future_ changes; I'm >> already preparing the revert, which is in the other subthread.) >> >> On Mon, Aug 7, 2017 at 12:26 PM, Kostya Serebryany <kcc@xxxxxxxxxx> wrote: >> > Oh, a launcher (e.g. just using setarch) would be a huge pain to deploy. >> >> Would loading the executable into the mmap region work? > > This is beyond my knowledge. :( > Could you explain? PIE has a separate randomization base (before at 0x5555 5555 4000, currently 0x1 0000 0000) from the mmap (DSO) area (0x7f00 0000 0000-ish). The primary reason to keep PIE separate from mmap is to avoid leaking ASLR offsets between them, but if that's less of a concern for *San, then we could just load PIE into the mmap region. > If we can do this w/o a launcher (and w/o re-executing), we should try. Let me think about the best way to do this... -Kees -- Kees Cook Pixel Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
