On Wed, Jan 14, 2015 at 15:44, Mathias Svensson wrote: > > - The ps_struct structure is placed at a known address and contains > pointers to the stack. > - The entire region from the stack to USRSTACK is mapped, meaning that > an attacker with the capability to repeatedly leak from a chosen > address could start at USRSTACK and search down until he finds the > stack. > - A large area below the stack is mapped on demand, meaning that an > attacker with the same capabilities could start below the stack and > search up until the stack is found.
This is perhaps the saddest part. I think progress has been slow in part because userland actually used USRSTACK (for example in librthread, to identify the stack region). That's now been exorcised, but the kernel for instance doesn't track it on a per process basis, and so sysctl VM_PSSTRINGS still returns fixed values.
