Full Report
Address Space Layout Randomization (ASLR) is a security protection that randomizes the addresses of a process. By doing this, it requires exploits to have an information leak or get really lucky guessing. ASLR was one of the original memory corruption protections that was added to programs back in the way. In the post, the author discusses an issue with ASLR on Linux and how this incident occurred. While the author was hacking on a CTF challenge, they stumbled across ASLR not working. From talking to a friend, they noticed that it only happened on libraries that were 2MBs in size. On 32 bits, it didn't work at all. On 64 bit, much of the bits weren't randomized. But why? It must be huge pages if it's 2MB! Virtual addresses mappings are typically made with 4KB pages. However, in cases where we want better cache hits, Huge Pages can be used with 2MB pages. Instead of 12 bit aligned on 4KB huge pages are 21 bit aligned. Years ago, some file systems moved to using thp_get_unmapped_area() for backing memory. This function recently had a changed to make allocations of larger than 2MB use huge pages instead. Boom, that's the issue! The missing bits comes from this; we need a larger alignment than we did with 4KB pages. By having a larger page size much of the randomness was lost. In order to fix this, Ubuntu increased the amount of random bits on an address for 64 bit and 32 bits, giving a lot of randomness back. Overall, a look into accidentally discovering an ASLR issue on Linux.
Analysis Summary
# Vulnerability: ASLR Entropy Regression via Huge Page Alignment
## CVE Details
- **CVE ID**: Not explicitly assigned in the article (Tracked in Ubuntu as Bug #1983357).
- **CVSS Score**: N/A (Estimated Medium/High based on exploit primitive enhancement).
- **CWE**: CWE-330: Use of Insufficiently Random Values.
## Affected Systems
- **Products**: Linux Kernel (Distributions including Ubuntu, Arch, Fedora, and Debian).
- **Versions**: Kernel versions >= 5.18.
- **Filesystems**: ext4, ext2, btrfs, xfs, and FUSE.
- **Configurations**: Systems running libraries equal to or larger than 2MB in size.
## Vulnerability Description
The flaw stems from a change in how the Linux kernel handles memory mapping for large files. To improve cache performance, certain filesystems began using `thp_get_unmapped_area()` to back memory via Transparent Huge Pages (THP).
When a library is 2MB or larger, the kernel forces a 21-bit alignment (matching the 2MB Huge Page size) instead of the standard 12-bit alignment used for 4KB pages. This requirement discards 9 bits of entropy. On 64-bit systems, randomness is reduced from 28 bits to 19 bits. On 32-bit systems, where entropy is already limited, this alignment requirement can effectively zero out all available randomization, rendering ASLR non-functional for those libraries.
## Exploitation
- **Status**: PoC available (demonstrated via memory map analysis).
- **Complexity**: Low (The predictability is inherent in the memory allocation).
- **Attack Vector**: Local (Requires the ability to execute code or leverage an information leak to bypass protections).
## Impact
- **Confidentiality**: Low (Does not directly leak data, but facilitates bypass of memory protections).
- **Integrity**: Medium (Significantly eases the exploitation of memory corruption vulnerabilities).
- **Availability**: None.
## Remediation
### Patches
- **Ubuntu 24.04 (Noble)**: A commit (ID: `760c2b1fa1f5e95be1117bc7b80afb8441d4b002`) has been identified that increases the `mmap_rnd_bits` to compensate for the lost entropy.
- **Other Distros**: Users should update to the latest stable kernel versions as fixes are being integrated into upstream/distribution-specific trees.
### Workarounds
- No software-level workaround is provided other than increasing `mmap_rnd_bits` via sysctl (e.g., `vm.mmap_rnd_bits` and `vm.mmap_rnd_compat_bits`) if supported by the specific kernel build.
## Detection
- **Indicators of Compromise**: Not applicable, as this is a structural weakness.
- **Detection Methods**:
- Check for repeated base addresses in `/proc/[pid]/maps` for libraries > 2MB (e.g., `libc`).
- Observe if base addresses consistently end in `00000` (hex), indicating 21-bit alignment.
## References
- Ubuntu Bug Tracker: [https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357](https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1983357)
- Kernel Source (`thp_get_unmapped_area`): [https://elixir.bootlin.com/linux/v6.7/C/ident/thp_get_unmapped_area](https://elixir.bootlin.com/linux/v6.7/C/ident/thp_get_unmapped_area)
- Original Blog Post: [https://blog.zolutal.io/aslrnt-how-memory-alignment-broke-library-aslr/](https://blog.zolutal.io/aslrnt-how-memory-alignment-broke-library-aslr/)