search

microsoftarchive / redis

Redis is an in-memory database that persists on disk. The data model is key-value, but many different kind of values are supported: Strings, Lists, Sets, Sorted Sets, Hashes
http://redis.io
Other
20.78k stars 5.37k forks source link

Enable ALSR #521

Open jmaxxz opened 7 years ago

jmaxxz commented 7 years ago

At present this project is not compiled with the /dynamicbase flag set. This compiler flag should be set inorder to reduce the exploitability of buffer overflow vulnerabilities.

https://msdn.microsoft.com/en-us/library/bb384887(v=vs.120).aspx

jepickett commented 7 years ago

This is by design. In order for the fork() emulation to work, there must be a memory section mapped between both forker and forkee that is used for the Redis heap. This section must occupy the same place in the virtual address space of both processes. If ASLR was enabled there would be a good chance that a DLL would be mapped by the loader into the same space as the heap in the forked process. In this case we would not be able to map the heap, and replication operations would fail.

If there was a way of creating a process in Windows while telling the loader to reserve a block of virtual address space, then this problem would be solved. Unfortunately, there is no publicly available API for doing so.

jepickett commented 7 years ago

The only workaround I can think of is to dynamically create a DLL with /FIXED and the right allocation length (BSS section) before the forkee is launched. If this DLL was the first to get loaded, it could effectively create a reservation in the virtual address space. This would then have to be unloaded before the heap was mapped in. There would be a race condition while swapping out the module for the memory section, but otherwise this seems like it would enable the use of ASLR.