7 comments

[ 5.5 ms ] story [ 19.0 ms ] thread
This, really, is not a big deal. ASLR reduces your chances of attack by making addresses hard to guess. If you get into the system, and get to execute code, you have one chance to get it right, or your code crashes and takes the vulnerable app with it. So while this does have reduced randomness, it is not a huge deal.

When can it be? If you have a prod app which someone can hammer repeatedly hoping to guess ASLRed location of something. Now, with this vulnerability, they need only 64k tries on average instead of 128k tries. But if you do not notice your prod app crashing 64k times in close succession, you have other issues :)

The question one needs to ask is not whether you will notice, but whether you will notice before it is too late.
Well, if you do not notice 64k prod crashes, you will probably miss 128k as well, thus ASLR won't save you anyways. :)
Every mistake that people find that decreases entropy has a multiplicative effect, and some of this reduction can take place due to happenstance inside of the application: maybe you can leak a couple bytes off the stack somewhere, which lets you decrease the entropy further. That said, "search space is twice as large" is by itself "big": maybe you'd notice every day, but wouldn't notice every 12 hours, or you'd notice every week, but not notice every few days.
"Reducing entropy by half" sounds severe, but given that the actual values are being reduced from 262144 to 131072, which are either very small or very large numbers depending on the situation, what's the practical impact of this weakness?
"Reducing entropy by one bit" doesn't sound nearly a good, does it?