On Fri, Mar 02, 2018 at 11:30:28PM +0300, Ilya Smith wrote: > This is a really good question. Lets think we choose address with random-length > guard hole. This length is limited by some configuration as you described. For > instance let it be 1MB. Now according to current implementation, we still may > fill this gap with small allocations with size less than 1MB. Attacker will > going to build attack base on this predictable behaviour - he jus need to spray > with 1 MB chunks (or less, with some expectation). This attack harder but not > impossible. Ah, I didn't mean that. I was thinking that we can change the implementation to reserve 1-N pages after the end of the mapping. So you can't map anything else in there, and any load/store into that region will segfault. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
