Bug#1024149: linux-image-amd64: 32-bit mmap() puts large files at non-random address

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1024149: linux-image-amd64: 32-bit mmap() puts large files at non-random address
From: Jakub Wilk <jwilk@jwilk.net>
Date: Tue, 15 Nov 2022 16:17:10 +0100
Message-id: <[🔎] 20221115151710.lt3tqstb6mdhfanp@jwilk.net>
Reply-to: Jakub Wilk <jwilk@jwilk.net>, 1024149@bugs.debian.org

Package: src:linux
Version: 6.0.8-1
Tags: security
Control: affects -1 + libc6

32-bit mmap() puts large (>= 2 MiB) files at the same address every 
time:

    $ i686-linux-gnu-gcc -static test-mmap.c -o test-mmap
    $ head -c $((2 * 1024 * 1024)) /dev/zero > zeros
    $ for i in 1 2 3; do ./test-mmap < zeros; done
    mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
    mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000
    mmap(NULL, 2097152, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7c00000

In contrast, for smaller files, there's a few bits of entropy in the 
address:

    $ head -c $((2 * 1024 * 1024 - 4096)) /dev/zero > zeros
    $ for i in 1 2 3; do ./test-mmap < zeros; done
    mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d4a000
    mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7db8000
    mmap(NULL, 2093056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 0, 0) = 0xf7d99000

This weakens ASLR for most(?) programs, because libc.so.6 has recently 
become slightly larger than 2 MiB:

    $ wc -c /lib/i386-linux-gnu/libc.so.6
    2225200 /lib/i386-linux-gnu/libc.so.6

    $ for i in 1 2 3; do cat /proc/self/maps | grep ' r-xp .*/libc'; done
    f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068                           /lib/i386-linux-gnu/libc.so.6
    f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068                           /lib/i386-linux-gnu/libc.so.6
    f7c22000-f7d9b000 r-xp 00022000 fd:00 12059068                           /lib/i386-linux-gnu/libc.so.6

Curiously, not all file systems are affected. I could reproduce the bug 
on ext4, but not on tmpfs or unionfs.


-- Package-specific info:
** Version:
Linux version 6.0.0-4-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-9) 12.2.0, GNU ld (GNU Binutils for Debian) 2.39) #1 SMP PREEMPT_DYNAMIC Debian 6.0.8-1 (2022-11-11)


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
Architecture: i386 (x86_64)
Foreign Architectures: amd64

-- 
Jakub Wilk

Reply to:

Follow-Ups:
- Processed: linux-image-amd64: 32-bit mmap() puts large files at non-random address
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1024149: linux-image-amd64: 32-bit mmap() puts large files at non-random address
  - From: Jakub Wilk <jwilk@jwilk.net>
- Bug#1024149: linux-image-amd64: 32-bit mmap() puts large files at non-random address
  - From: Jakub Wilk <jwilk@jwilk.net>

Prev by Date: Processed: linux-image-amd64: 32-bit mmap() puts large files at non-random address
Next by Date: Processed: reassign 1019204 to src:linux, notfixed 1019204 in 6.0.0-1, closing 1019204
Previous by thread: Processed: reassign 1019204 to src:linux, notfixed 1019204 in 6.0.0-1, closing 1019204
Next by thread: Processed: linux-image-amd64: 32-bit mmap() puts large files at non-random address
Index(es):
- Date
- Thread