问题描述

我正在x86系统上研究mmap()的ASLR随机化.我读过很多地方，在mmap()加载的地址上有16位随机化.

I am studying ASLR randomization of mmap(), on x86 system.I have read in a lot of places that there are 16bits of randomization on the address loaded with mmap().

但是在源代码中我发现:

But in the source code i have found:

static unsigned long mmap_rnd(void)
02  {
03          unsigned long rnd = 0;
04   
05         /*
06          *  8 bits of randomness in 32bit mmaps, 20 address space bits
07          * 28 bits of randomness in 64bit mmaps, 40 address space bits
08          */
09          if (current->flags & PF_RANDOMIZE) {
10                  if (mmap_is_ia32())
11                          rnd = (long)get_random_int() % (1<<8);
12                  else 
13                          rnd = (long)(get_random_int() % (1<<28));
14          }
15          return rnd << PAGE_SHIFT;
16  }

所以，这只是8位的随机性.

So, that would be only 8bits of randomness.

但是实际上，运行一些测试，我得到以下地址(stack-heap-mmap)bf937000,09a60000，b774b000

But in fact, running some test, i get the following address (stack-heap-mmap)bf937000,09a60000,b774b000

bfa86000,090ef000，b76e2000

bfa86000,090ef000,b76e2000

如果可以是b77XX000和b76XX000，则超过16位！！！

Its more than 16 bits if it can be b77XX000 and b76XX000!!!!

对此有任何帮助吗?

推荐答案

PAGE_SHIFT正在将该随机性转移到其他位位置.您的mmap地址之间的区别确实是:

PAGE_SHIFT is shifting that randomness to a different bit position. The difference between your mmap addresses is indeed:

 b774b000
-b76e2000
---------
    69000

我不知道PAGE_SHIFT的值是什么，但是例如，如果它是12，则您的0x69差值恰好适合8位.

I don't know what the value of PAGE_SHIFT is, but if it's 12 for example, then you have 0x69 difference which perfectly fits in 8-bits.

这篇关于mmap()的熵的ASLR位的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！