Date: Fri, 27 Mar 2015 17:31:13 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-Request: AMD Bulldozer Linux ASLR weakness: Reducing entropy by 87.5%. On Fri, Mar 27, 2015 at 01:11:41PM +0100, Hector Marco wrote: > A bug in Linux ASLR implementation which affects some AMD processors has > been found. The issue affects to all Linux process even if they are not > using shared libraries (statically compiled). Grsecurity/PaX is also > affected. spender's criticism, off Twitter: <grsecurity> This new ASLR "weakness" with big 87.5% claims is a comedy of errors <grsecurity> doesn't get the entropy count right for 32-bit in the email, copy+pasted the wrong entropy counts for grsec/PaX (it's 16, not 8) <grsecurity> Further, the "fix" does absolutely nothing for local attackers and likely nothing for remote attackers either <grsecurity> One leak of *any* library address from *any* service during the boot lifetime gives away the values <grsecurity> And on vanilla kernels which still have no bruteforce protection whatsoever, this is less than a non-issue, & not worth dignifying in grsec Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ