1

I am studying ASLR randomization of mmap(), on x86 system. I have read in a lot of places that there are 16bits of randomization on the address loaded with mmap().

But in the source code i have found:

static unsigned long mmap_rnd(void)
02  {
03          unsigned long rnd = 0;
04   
05         /*
06          *  8 bits of randomness in 32bit mmaps, 20 address space bits
07          * 28 bits of randomness in 64bit mmaps, 40 address space bits
08          */
09          if (current->flags & PF_RANDOMIZE) {
10                  if (mmap_is_ia32())
11                          rnd = (long)get_random_int() % (1<<8);
12                  else 
13                          rnd = (long)(get_random_int() % (1<<28));
14          }
15          return rnd << PAGE_SHIFT;
16  }

So, that would be only 8bits of randomness.

But in fact, running some test, i get the following address (stack-heap-mmap) bf937000,09a60000,b774b000

bfa86000,090ef000,b76e2000

Its more than 16 bits if it can be b77XX000 and b76XX000!!!!

Any help on this?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
El pocho la pantera
  • 505
  • 1
  • 5
  • 17

1 Answers1

2

PAGE_SHIFT is shifting that randomness to a different bit position. The difference between your mmap addresses is indeed:

 b774b000
-b76e2000
---------
    69000

I don't know what the value of PAGE_SHIFT is, but if it's 12 for example, then you have 0x69 difference which perfectly fits in 8-bits.

Shahbaz
  • 46,337
  • 19
  • 116
  • 182
  • Ok, in terms of difference its true, but if you have tu guest the addres of mmap zone, you have to work on more than 16bits... – El pocho la pantera Dec 11 '12 at 22:27
  • Can you verify your spelling before posting? I'm having a bit of a hard time understanding you. I'm assuming `guest` is a typo, but are you trying to _guess_ the address of mmap zone? Why would you want to do that? And what is the problem if that address is more than 16-bits? In fact, why would it be 16-bits on a 32-bit machine? – Shahbaz Dec 11 '12 at 23:02
  • Yes, i was meaning guess. This is a study of stack overflow exploits, you have to know the address of system() function on libc, so if the address is somethin like: 0xb77XX000 (XX because of ASLR), its ok, it will take 2^16 attempts on a brute force attack. – El pocho la pantera Dec 11 '12 at 23:24