On Mon, Aug 18, 2014 at 12:46 PM, Andres Freund <andres@2ndquadrant.com> wrote:
> On 2014-08-18 12:41:58 -0400, Robert Haas wrote:
>> On Mon, Aug 18, 2014 at 12:00 PM, Andres Freund <andres@2ndquadrant.com> wrote:
>> >> Unfortunately, that information also has some security implications.
>> >> I'm sure someone trying to exploit any future stack-overrun
>> >> vulnerability will be very happy to have more rather than less
>> >> information about the layout of the process address space.
>> >>
>> >
>> > Meh. For one it's just the offsets, not the actual addresses. It's also
>> > something you can relatively easily compute at home by looking at a
>> > couple of settings everyone can see. For another, I'd be perfectly
>> > content making this superuser only. And if somebody can execute queries
>> > as superuser, address layout information really isn't needed anymore to
>> > execute arbitrary code.
>>
>> I'm just not sure it should be in there at all.
>
> You realize that you can pretty much recompute the offsets from the
> sizes of the individual allocations anyway?
Sure, if you know the segment base. Do you?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company