On Mon, Jan 15, 2024 at 04:40:36PM +0000, Sam James wrote: > mail@xxxxxxxxxx writes: > > Hey, I read that ASLR is currently (since kernel >=5.18) broken for > > 32bit libs and reduced in effectiveness for 64bit libs... (the issue > > only arises if a lib is over 2MB). > > I confirmed this for myself but only for the 64bit case. > > > > I saw that this issue is being tracked by ubuntu > > (https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357). > > If this is the wrong place and I should instead report it elsewhere I > > am very sorry. > > See also https://bugs.debian.org/1024149. Unfortunately, I don't > think the issue found its way upstream until now (thanks). > > CCing relevant maintainers (per the Debian bug). You know, my email address is all over that commit and the doofus who "discovered the vulnerability" didn't even have the courtesy to let me know. I've had several private emails about this over the last few days and I just don't care. Who's running 32-bit code and cares about security? 32-bit kernels are known-vulnerable to all kinds of security problems, and I think this is the least of your worries. This was intended to happen, it's not a surprise.
