地址空间布局随机化(ALSR)和mmap [英] Address Space Layout Randomization( ALSR ) and mmap

问题描述

我希望由于地址空间布局随机化(ALSR)，从另一个进程派生的一个进程在调用mmap时将返回不同的地址.但据我发现，事实并非如此.为此，我编写了以下测试程序. malloc返回的所有地址对于父代和子代都是完全相同的. 请注意， cl1 ， cl2 ， pl1 ， pl2 的malloc在内部使用mmap，因为它们是大块.

I expect that due to Address Space Layout Randomization (ALSR) a process forked from another process will have different addresses returned when calling mmap. But as I found out, that was not the case. I made the following test program for that purpose. All the addresses returned by malloc are exactly the same for the parent and the child. Note that the malloc for cl1, cl2, pl1, pl2 internally uses mmap because they are large blocks.

所以，我的问题是，即使在存在ALSR的情况下，为什么mmap也不返回不同的地址.可能是因为在这里用于随机化的种子对于原始过程和分叉过程都是相同的.还是还有其他原因?

So, my question is, why mmap is not returning different addresses even in the presence of ALSR. Maybe its because the seed for randomization here is the same for the original and forked process. Or is there any other reason?

int main()
{
  pid = fork();

  if (pid == 0)                // child
  {
    void * c1 = malloc( 4096 );
    void * c2 = malloc( 4096 );

    void * cl1 = malloc( (long)512e3 ); // internally uses mmap
    void * cl2 = malloc( (long)512e3 ); // internally uses mmap

    printf( "c1 = %p, c2 = %p, cl1 = %p, cl2 = %p!\n", c1, c2, cl1, cl2 );
  }
  else
  {
    void * p1 = malloc( 4096 );
    void * p2 = malloc( 4096 );

    void * pl1 = malloc( (long)512e3 ); // internally uses mmap
    void * pl2 = malloc( (long)512e3 ); // internally uses mmap

    printf( "p1 = %p, p2 = %p, pl1 = %p, pl2 = %p!\n", p1, p2, pl1, pl2 );
  }

  return 0;
}

推荐答案

ASLR主要随机化从用户空间地址空间的顶部到堆栈的距离，以及从堆栈保留空间的底部到第一个地址的距离. mmap(可能是动态链接器的映射).任何进一步的随机化都会对虚拟内存空间造成严重的碎片影响，从而破坏需要制作大mmap的程序(例如，在32位计算机上映射1-2 GB).

ASLR mainly randomizes the distance from the top of user-space address space down to the stack, and the distance from the bottom of stack-reserved space to the first mmap (which is probably the mapping of the dynamic linker). Any further randomization would have serious fragmenting effects on the virtual memory space, and thus would break programs that need to make large mmaps (e.g. a 1-2 GB mapping on a 32-bit machine).

我已经看到一些Linux发行版附带补丁的内核，它们对mmap返回的地址执行更多的随机化处理.其中一些甚至为您提供了映射，这些映射与为堆栈扩展而保留的空间重叠，然后，当堆栈增长时，它掩盖了您的映射(导致巨大的安全漏洞，远大于任何非随机地址分配可能导致的安全漏洞) .远离这些黑客.

I have seen some Linux distros ship patched kernels that perform much more randomization on the addresses returned by mmap. Some of them even give you mappings overlapping with the space reserved for the stack to expand into, and then when the stack grows it clobbers your mapping (resulting a huge gaping security hole, much bigger than anything non-random address assignments could have caused). Stay away from these hacks.

这篇关于地址空间布局随机化(ALSR)和mmap的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！