Re: brk randomization breaks columns

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pavel Machek <pavel@ucw.cz>
To: Ingo Molnar <mingo@elte.hu>
Cc: jikos@suse.cz, kernel list <linux-kernel@vger.kernel.org>
Subject: Re: brk randomization breaks columns
Date: Mon, 4 Feb 2008 14:28:53 +0100	[thread overview]
Message-ID: <20080204132853.GA4630@elf.ucw.cz> (raw)
In-Reply-To: <20080204130156.GA8730@elte.hu>

Hi!

> > Hmm, code in binfmt_elf is really strange.
> > 
> >         elf_bss += load_bias;
> >         elf_brk += load_bias;
> >         start_code += load_bias;
> >         end_code += load_bias;
> >         start_data += load_bias;
> >         end_data += load_bias;
> > 
> >         /* Calling set_brk effectively mmaps the pages that we need
> >          * for the bss and break sections.  We must do this before
> >          * mapping in the interpreter, to make sure it doesn't wind
> >          * up getting placed where the bss needs to go.
> >          */
> >         retval = set_brk(elf_bss, elf_brk);
> > 
> > ... so we allocate non-randoimzed brk, but later we just overwrite bss 
> > variable with new, shiner and better randomized value... without 
> > unmapping the old one... The code in binfmt_elf.c is really a mess.
> 
> hm, so it seems that it isnt even the randomization that causes the 
> problem - but somehow the randomization code itself is broken, right? 
> 
> Would you be interested in figuring out how to unbreak this? [if not, 
> could you send me the binary?]

Not sure this helps... If I only randomize _end_ of heap, it still
works. If I try to randomize beggining of heap, too, it will not even
start recent binaries :-(.
								Pavel

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 18ed6dd..9afc58f 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -980,6 +983,16 @@ #endif
 	}
 
 	loc->elf_ex.e_entry += load_bias;
+
+
+	printk("%d: %x\n", current->pid, elf_brk);
+
+	extern unsigned long 	randomize_range(unsigned long start, unsigned long end, unsigned long len);
+
+	long random = randomize_range(0, 0x200000, 0);
+	elf_brk += random;
+//	elf_bss += random;
+
 	elf_bss += load_bias;
 	elf_brk += load_bias;
 	start_code += load_bias;
@@ -1076,12 +1093,6 @@ #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGE
 	current->mm->end_data = end_data;
 	current->mm->start_stack = bprm->p;
 
-#ifdef arch_randomize_brk
-	if (current->flags & PF_RANDOMIZE)
-		current->mm->brk = current->mm->start_brk =
-			arch_randomize_brk(current->mm);
-#endif
-
 	if (current->personality & MMAP_PAGE_ZERO) {
 		/* Why this, you ask???  Well SVr4 maps page 0 as read-only,
 		   and some applications "depend" upon this behavior.

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

next prev parent reply	other threads:[~2008-02-04 13:28 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-04 12:28 brk randomization breaks columns Pavel Machek
2008-02-04 13:01 ` Ingo Molnar
2008-02-04 13:28   ` Pavel Machek [this message]
2008-02-04 14:55     ` Jiri Kosina
2008-02-04 20:25       ` Pavel Machek
2008-02-04 14:33   ` Jiri Kosina
2008-02-04 16:12     ` Jiri Kosina
     [not found]       ` <15577be70802041016m97cddbfk43b9073408bcbce9@mail.gmail.com>
     [not found]         ` <15577be70802041029o2975ba6do34589bbdc81d1652@mail.gmail.com>
2008-02-04 19:52           ` Fwd: " Pavel Machek
2008-02-04 21:54             ` Abel Bernabeu
2008-02-04 22:48               ` Jiri Kosina
2008-02-04 23:13                 ` Abel Bernabeu
2008-02-04 23:39                   ` Pavel Machek
2008-02-04 20:31       ` Pavel Machek
2008-02-05  1:57 ` Jiri Kosina
2008-02-05 11:06   ` [regression] " Pavel Machek
2008-02-05 12:50     ` Jiri Kosina
2008-02-05 12:54       ` Ingo Molnar
2008-02-05 13:05         ` Jakub Jelinek
2008-02-05 16:18           ` Pavel Machek
2008-02-05 16:37             ` Ingo Molnar
2008-02-05 16:12       ` Pavel Machek
2008-02-05 13:08   ` Hugh Dickins
2008-02-05 15:00     ` Arjan van de Ven
2008-02-05 15:46       ` Pavel Machek
2008-02-05 15:49         ` Jiri Kosina
2008-02-05 15:55           ` Pavel Machek
2008-02-05 15:49         ` Ingo Molnar
2008-02-05 15:59           ` Pavel Machek
2008-02-05 16:06             ` Ingo Molnar
2008-02-05 22:03               ` Pavel Machek
2008-02-05 16:58         ` Arjan van de Ven
2008-02-05 17:33           ` Pavel Machek
2008-02-05 22:35           ` Jiri Kosina
2008-02-06  3:24             ` Randy Dunlap
2008-02-05 16:02   ` Pavel Machek
2008-02-05 16:09     ` Ingo Molnar
2008-02-05 22:04       ` Pavel Machek
2008-02-05 18:05   ` Pavel Machek
2008-02-05 20:42     ` Jiri Kosina

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:18ed6dd dfblob:9afc58f )
 OR (
bs:"Re: brk randomization breaks columns" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080204132853.GA4630@elf.ucw.cz \
    --to=pavel@ucw.cz \
    --cc=jikos@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.