From: Stephen Hemminger <stephen@networkplumber.org>
To: Yang Ming <ming.1.yang@nokia-sbell.com>
Cc: Anatoly Burakov <anatoly.burakov@intel.com>,
dev@dpdk.org, stable@dpdk.org
Subject: Re: [PATCH] eal/linux: enhance ASLR verification
Date: Wed, 12 Mar 2025 09:29:22 -0700 [thread overview]
Message-ID: <20250312092922.32412cd7@hermes.local> (raw)
In-Reply-To: <82920758-20eb-442c-a62b-a3babb65bfa7@nokia-sbell.com>
On Wed, 12 Mar 2025 11:13:27 +0800
Yang Ming <ming.1.yang@nokia-sbell.com> wrote:
> On 2025/3/11 05:43, Stephen Hemminger wrote:
> > Caution: This is an external email. Please be very careful when clicking links or opening attachments. See http://nok.it/nsb for additional information.
> >
> > On Fri, 28 Feb 2025 17:44:04 +0800
> > Yang Ming <ming.1.yang@nokia-sbell.com> wrote:
> >
> >> This change ensures that the current process is checked for
> >> being run with 'setarch' before verifying the value of
> >> '/proc/sys/kernel/randomize_va_space'. The '-R' or
> >> '--addr-no-randomize' parameter of the 'setarch' command is used
> >> to disable the randomization of the virtual address space.
> >>
> >> Fixes: af75078fece3 ("first public release")
> >> Cc: stable@dpdk.org
> >>
> >> Signed-off-by: Yang Ming <ming.1.yang@nokia-sbell.com>
> > Looks good, I wonder if the personality() check can supersede the need
> > to reference sysfs here?
> >
> Hi Stephen,
>
> Thank you for your feedback. The personality() check is indeed a useful
> addition to determine if the current process is executed with the
> ADDR_NO_RANDOMIZE flag set, which can disable ASLR (Address Space Layout
> Randomization).
>
> However, relying solely on the personality() check may not be sufficient
> in all scenarios. The personality() function checks the attributes of
> the current process, but it does not provide information about the
> system-wide ASLR settings, which are typically controlled via sysfs
> (/proc/sys/kernel/randomize_va_space). The sysfs file
> RANDOMIZE_VA_SPACE_FILE indicates the global ASLR setting for the entire
> system, which can affect all processes.
>
> By including both checks, we ensure comprehensive coverage:
> 1. The personality() check verifies if the current process has ASLR
> disabled.
> 2. The sysfs reference checks the global ASLR setting, which affects all
> processes.
>
> Therefore, while the personality() check is valuable, it does not
> entirely supersede the need to reference sysfs. Both checks together
> provide a more robust determination of ASLR status.
>
>
> Brs,
> Yang Ming
I wonder if EAL should have --no-aslr flag and call personality itself?
Maybe not since it would have to happen early before other areas are mapped.
next prev parent reply other threads:[~2025-03-12 16:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 9:44 Yang Ming
2025-03-10 21:43 ` Stephen Hemminger
2025-03-12 3:13 ` Yang Ming
2025-03-12 16:29 ` Stephen Hemminger [this message]
2025-03-13 5:52 ` [External] " Yang Ming
2025-03-12 16:22 ` Stephen Hemminger
2025-03-13 6:19 ` [PATCH v2] eal/linux: improve ASLR check Yang Ming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250312092922.32412cd7@hermes.local \
--to=stephen@networkplumber.org \
--cc=anatoly.burakov@intel.com \
--cc=dev@dpdk.org \
--cc=ming.1.yang@nokia-sbell.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).