Bottom Up ASLR in Windows Sandbox Unnecessary on Windows 8+
Reported by
trit...@mozilla.com,
May 30 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0 Steps to reproduce the problem: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc#305 What is the expected behavior? What went wrong? From reading https://blogs.technet.microsoft.com/srd/2013/12/11/software-defense-mitigating-common-exploitation-techniques/ (and https://twitter.com/epakskape/status/867935182950612992 ) - it's my understanding that Windows 8+ applies bottom up (and top down) randomization automatically, meaning on 32 bit processes on Windows 8+, the sandbox is allocating unnecessary memory. Did this work before? N/A Chrome version: trunk Channel: canary OS Version: Flash Version: Shockwave Flash 25.0 r0
,
May 30 2017
Is there any claim of a security impact here, or just a performance cost?
,
May 30 2017
No, no security impact. I didn't know what else to tag it as besides Security.
,
May 30 2017
Thanks!
,
May 30 2017
I'm not sure it's true that it's "allocating unnecessary memory" (MEM_RESERVE without MEM_COMMIT), but it does consume precious address space.
Changing
if (flags & MITIGATION_BOTTOM_UP_ASLR)
to
if (flags & MITIGATION_BOTTOM_UP_ASLR &&
base::win::GetVersion() < base::win::VERSION_WIN8)
...seems reasonable enough.
,
May 31 2017
,
May 31 2018
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, May 30 2017Components: Internals>Sandbox