Why "ulimit -s unlimited" can de-ASLR in overflow?

Question

I know the ulimit -s unlimited trick (to fix the address of libc) but i dont understand the fact behind,anyone could help me to make a explanation?~ thx

Ortomala Lokni · Answer 1 · 2014-12-18T11:55:51.040

2

Accoding to the bash manual page

ulimit provides control over the resources available to the shell and to processes started by it, on systems that allow such control.

The -s flag define the maximum stack size.

So ulimit -s unlimited removes the maximum limit of the stack size and this enable the legacy mmap function.

According to Hexcellent

On 32 bit systems “ulimit -s unlimited” disables the randomization of the mmap()-ing because of the following code in the kernel at arch/x86/mm/mmap.c:

static int mmap_is_legacy(void)
{
    if (current->personality & ADDR_COMPAT_LAYOUT)
            return 1;

    if (rlimit(RLIMIT_STACK) == RLIM_INFINITY)
            return 1;

    return sysctl_legacy_va_layout;
}

edited Dec 18 '14 at 11:55

answered Nov 27 '14 at 17:18

Ortomala Lokni

56,620
24
188
240

ulimit -s unlimited only disable randomization of mmap() but not stack randomization, right? – xyz Jun 06 '16 at 12:27
this article also seems to minimize data limit (`ulimit -d 1`) - can you explain, what that command was called to achieve? https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html – Arioch 'The Dec 02 '19 at 15:59

Why "ulimit -s unlimited" can de-ASLR in overflow?

1 Answers1