On Thu, Jan 18, 2018 at 12:05:48PM +0100, Otto Moerbeek wrote:
> On Thu, Jan 18, 2018 at 10:48:09AM +, kshe wrote:
>
> > On Thu, 18 Jan 2018 08:54:21 +, Otto Moerbeek wrote:
> > > Looking back the rotor thing is ill-convceived indeed. I'm now
> > > testing the diff below. I still re-use r
On Thu, Jan 18, 2018 at 10:48:09AM +, kshe wrote:
> On Thu, 18 Jan 2018 08:54:21 +, Otto Moerbeek wrote:
> > Looking back the rotor thing is ill-convceived indeed. I'm now
> > testing the diff below. I still re-use r, because I really think a
> > little bit of correlation does not hurt her
On Thu, 18 Jan 2018 08:54:21 +, Otto Moerbeek wrote:
> Looking back the rotor thing is ill-convceived indeed. I'm now
> testing the diff below. I still re-use r, because I really think a
> little bit of correlation does not hurt here.
Actually, I think it does hurt, because it introduces a lot
On Wed, Jan 17, 2018 at 06:25:03PM +0100, Otto Moerbeek wrote:
> On Wed, Jan 17, 2018 at 01:59:21PM +, kshe wrote:
>
> > Hi,
> >
> > In malloc_bytes(), the choice of the chunk_info list to use is
> > correlated with that of the offset at which the search for a free chunk
> > begins, because
On Wed, Jan 17, 2018 at 01:59:21PM +, kshe wrote:
> Hi,
>
> In malloc_bytes(), the choice of the chunk_info list to use is
> correlated with that of the offset at which the search for a free chunk
> begins, because both use the same random source. This is easy to avoid,
> for example by doin
On Wed, Jan 17, 2018 at 08:52:36AM -0700, Theo de Raadt wrote:
> So the attacker has numerous small hurdles. There's a banana on the
> road, but there's snare wire above it.
Okay, now, I can't stop thinking of a Will.E. Coyote-shaped
Theo unboxing his ACME ordered snare wire at xmas...
> On a related note, however, I have some doubts about the usefulness of
> this "randomisation rotor".
>
> First, it currently does not really randomise anything, since on most
> architectures the total number of chunks always divides 256, so that
> using merely `r' as the random offset instead of
Hi,
In malloc_bytes(), the choice of the chunk_info list to use is
correlated with that of the offset at which the search for a free chunk
begins, because both use the same random source. This is easy to avoid,
for example by doing something like the diff below.
--- malloc.c.orig Sun Jan 1
