[ubuntu-hardened] Probably not in time for Hardy, but just maybe...

Kees Cook kees at ubuntu.com
Thu Mar 27 22:58:59 GMT 2008

On Thu, Mar 27, 2008 at 03:44:25PM -0700, Jeff Schroeder wrote:
> A little security never hurt anyone. If memory serves, these make ASLR
> pretty much complete in Linux. Now you don't need to use PaX for ASLR
> anymore.
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cc503c1b43e002e3f1fed70f46d947e2bf349bb6

This is already in Hardy[1] -- I made sure of it.  Note that to use it,
you need to have a PIE-compiled application to start with (same was true
for PaX).  We don't have a lot of those, but we do have some in Hardy
(ssh and dbus, AFAIR).

> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c1d171a002942ea2d93b4fbd0c9583c56fce0772

This would have been nice to have, except that Jiri already went several
rounds with the PIE patches (for which I was doing testing) that had
various regressions, that I didn't want to introduce the brk offset
randomization too.  This will be in intrepid though, and hopefully with
PIE builds by default we'll be totally done.  :):)


[1] http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/

Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list