Re: Is PIE randomization breaking klibc binaries?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "H. Peter Anvin" <hpa@zytor.com>
To: Sergey Vlasov <vsu@altlinux.ru>
Cc: Ulrich Kunitz <kune@deine-taler.de>,
	Chuck Ebbert <cebbert@redhat.com>,
	linux-kernel@vger.kernel.org, honza@jikos.cz, jkosina@suse.cz
Subject: Re: Is PIE randomization breaking klibc binaries?
Date: Thu, 02 Aug 2007 15:10:29 -0400	[thread overview]
Message-ID: <46B22C25.2070601@zytor.com> (raw)
In-Reply-To: <20070802230219.97b7f7b5.vsu@altlinux.ru>

Sergey Vlasov wrote:
>>
>> Program Header:
>>     LOAD off    0x0000000000000000 vaddr 0x0000000000200000 paddr 0x0000000000200000 align 2**21
>>          filesz 0x000000000001197e memsz 0x000000000001197e flags r-x
>>     LOAD off    0x0000000000011980 vaddr 0x0000000000411980 paddr 0x0000000000411980 align 2**21
> 
> Note that the vaddr here can overlap the binary which is linked starting
> at 0x400000.
> 
> This is the bug which I have found and fixed some time ago:
> 
> http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=10df6dfb13ffefe716f12136bbc667f18ff64744
> 
> The fix was included in klibc-1.4.35, but does not seem to be applied in
> your case (the alignment is still 2**21 - it should be 2**20) - so
> either you are using an old klibc, or the "-z max-page-size=0x100000"
> option does not take effect for some reason.
> 
> In my case the buggy klibc worked fine with a stock 2.6.18 kernel, but
> broke when the execshield patch was applied - and the commit 60bfba7e
> code comes from execshield, so it looks like the same problem.
> 
>>          filesz 0x0000000000000100 memsz 0x0000000000004288 flags rw-
>>    STACK off    0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**3
>>          filesz 0x0000000000000000 memsz 0x0000000000000000 flags rwx
>>
>> Sections:
>> Idx Name          Size      VMA               LMA               File off  Algn
>>   0 .text         0000da94  0000000000200200  0000000000200200  00000200  2**2
>>                   CONTENTS, ALLOC, LOAD, READONLY, CODE
>>   1 .rodata       00003cde  000000000020dca0  000000000020dca0  0000dca0  2**5
>>                   CONTENTS, ALLOC, LOAD, READONLY, DATA
>>   2 .data         00000100  0000000000411980  0000000000411980  00011980  2**5
>>                   CONTENTS, ALLOC, LOAD, DATA
>>   3 .bss          00004188  0000000000411a80  0000000000411a80  00011a80  2**5
>>                   ALLOC
>>   4 .gnu_debuglink 0000002c  0000000000000000  0000000000000000  00011a80  2**0
>>                   CONTENTS, READONLY

Yup... it should probably be pointed out the reason the old kernel 
worked was nothing but pure dumb luck.  This was a GNU ld change which 
needed to be undone for klibc.  It's unfortunate that stock x86-64 
binaries leave as little of a null pointer range as they do, but that's 
life, unfortunately.  The other alternative is to map klibc just below 
the 2 GB point, which would also work, but the old way broke when the ld 
change went in.  As previously stated, klibc-1.4.35 or higher fixes this.

	-hpa

next prev parent reply	other threads:[~2007-08-02 19:11 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-20 21:13 Is PIE randomization breaking klibc binaries? Ulrich Kunitz
2007-07-20 22:05 ` H. Peter Anvin
2007-07-24 20:34   ` Chuck Ebbert
2007-07-24 20:57     ` Chuck Ebbert
2007-07-24 22:00       ` Ulrich Kunitz
2007-07-24 22:41         ` Chuck Ebbert
2007-07-24 22:45           ` H. Peter Anvin
2007-07-24 23:13             ` Ulrich Kunitz
2007-07-25  6:32             ` Ulrich Kunitz
2007-07-31 11:30               ` Jiri Kosina
2007-07-31 12:01                 ` H. Peter Anvin
2007-07-31 12:19                   ` Jiri Kosina
2007-07-31 12:15                     ` H. Peter Anvin
2007-08-01 14:07                       ` Jiri Kosina
2007-08-02  4:29                         ` Ulrich Kunitz
2007-08-02 11:21                           ` Jiri Kosina
2007-08-02 17:03                             ` Bret Towe
2007-08-02 19:02               ` Sergey Vlasov
2007-08-02 19:10                 ` H. Peter Anvin [this message]
2007-08-02 20:42                   ` Ulrich Kunitz
2007-08-02 21:03                   ` Jiri Kosina
2007-08-02 19:10                 ` Ulrich Kunitz
2007-07-21  6:02 ` Bret Towe
2007-07-21 10:18   ` Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46B22C25.2070601@zytor.com \
    --to=hpa@zytor.com \
    --cc=cebbert@redhat.com \
    --cc=honza@jikos.cz \
    --cc=jkosina@suse.cz \
    --cc=kune@deine-taler.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=vsu@altlinux.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.