Bug 89591 - VDSO randomization not very random
Summary: VDSO randomization not very random
Status: NEW
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL: http://v0ids3curity.blogspot.in/2014/...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-11 17:22 UTC by Hanno Boeck
Modified: 2014-12-20 00:44 UTC (History)
1 user (show)

See Also:
Kernel Version: 3.17.4
Tree: Mainline
Regression: No


Attachments

Description Hanno Boeck 2014-12-11 17:22:24 UTC
With current Linux kernels it seems the address randomization for loading the vdso library is not that random and can easily be bruteforced.

This can easily be demonstrated. Get libvdso address from one executable:
$ ldd /usr/bin/less|grep vdso
	linux-vdso.so.1 (0x00007fff73bfe000)

Now run ldd mutliple times and check if the same address appears:
c=0; while (true); do let c=c+1; ldd /usr/bin/less|grep 0x00007fff73bfe000; [ "$?" == 0 ] && echo $c; done

It usually takes only a few seconds and around 1000-2000 tries until the loading address is repeated (note that results may vary, it seems the randomization is biased, some values repeat more often than others).

This information is mostly from this blog entry:
http://v0ids3curity.blogspot.in/2014/12/return-to-vdso-using-elf-auxiliary.html
And here's a thread on oss-security discussing the issue:
http://www.openwall.com/lists/oss-security/2014/12/09/10

The latest version of paxtest added a check for this that guesses the randomness of vdso:
https://grsecurity.net/~spender/paxtest-0.9.13.tar.gz
$ ./randvdso 
VDSO randomisation test                  : 11 quality bits (guessed)
Comment 1 Andy Lutomirski 2014-12-20 00:44:58 UTC
Hopefully this is a good enough improvement:

https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/commit/?h=x86/vdso&id=bc3b94c31d65e761ddfe150d02932c65971b74e2

Note You need to log in before you can comment on or make changes to this bug.