

CVE-2015-1593 – Linux ASLR integer overflow: Reducing stack entropy by four - adamnemecek
http://hmarco.org/bugs/linux-ASLR-integer-overflow.html

======
netheril96
This bug certainly needs patching, but its severity is very low. The lack of
ASLR isn't in itself security vulnerability.

------
Animats
ASLR turns some unsuccessful buffer overflow attacks into system crashes.
About all that can be said for address space randomization is that it's better
than doing nothing. It has the useful feature that it makes it harder to
reproduce buffer overflow bugs, which allows developers to avoid the work of
finding and fixing them.

 _" We must do something. This is something. Therefore we must do this."_ \-
Yes, Minister

~~~
MichaelGG
That's pretty much what were left with for unsafe code protection eh? And
still stuff gets through... I'm wondering why we don't have runtime code
rewriting, where the loader reorders code fragments, inserts unconditional
jumps in places, etc. to make exploitation harder.

~~~
RubyPinch
It is suspected that Denuvo DRM does the whole in-memory rewriting

applying something like that to prevent memory-based abuse and the such would
be interesting

------
ars
> All Linux versions prior to 3.19-rc3 are affected.

I'm using 3.14.15 (and yes, I greatly enjoy the number) and I'm not affected.

------
phaemon
I'm guessing "RandomCode" is a new username for "TempleOS"?

