kees
commented
9 months ago Yeah, this is what arm64 already does. Less code, better ASLR. That's a rare change. :)
Open thestinger opened 1 year ago
kees
commented
9 months ago Yeah, this is what arm64 already does. Less code, better ASLR. That's a rare change. :)
kees
commented
9 months ago
x86_64 unnecessarily places the vdso at a random low entropy offset from the stack instead of simply putting it in the mmap region where position independent executables and dynamic libraries loaded by the linker are placed. There should not be executable code at a low entropy offset from the stack, since the stack and executable code having separate randomization is part of what makes ASLR stronger. It makes sense to have a separate base or multiple separate bases for the malloc heap from executable code but this does not help and it's not up to the kernel to provide it. Ready to go patch from linux-hardened with no known compatibility issues:
https://github.com/anthraxx/linux-hardened/commit/54a53f4234e10f942de809f9c76701d2f6186085.patch