From: David Daney <ddaney@caviumnetworks.com>
To: Camm Maguire <camm@maguirefamily.org>
Cc: "Maciej W. Rozycki" <macro@linux-mips.org>,
debian-mips@lists.debian.org, gcl-devel@gnu.org,
Andreas Barth <aba@not.so.argh.org>,
linux-mips <linux-mips@linux-mips.org>
Subject: Re: mips and ADDR_NO_RANDOMIZE
Date: Mon, 01 Nov 2010 11:06:15 -0700 [thread overview]
Message-ID: <4CCF0197.2030407@caviumnetworks.com> (raw)
In-Reply-To: <87bp69811z.fsf_-_@maguirefamily.org>
On 11/01/2010 09:24 AM, Camm Maguire wrote:
> Greetings! Executing personality() with the ADDR_NO_RANDOMIZE bit set,
> and re-executing via execve, should yield a process with traditional
> contiguous brk() addresses appended to the .data segment, independent
> of the setting of sysctl kernel.randomize_va_space, right? At least
> this is the way the linux kernel has been working on x86 for many
> years.
>
> The latest Debian mips kernel is not honoring this setting. I'd like
> to know if this is a kernel bug.
>
For things like this, we need to know what kind of kernel it is. Is it
a 64-bit kernel running a 32-bit application?
I am going to guess that it is.
The 32-bit sys_personality wrapper in the kernel looks incorrect. But
It should probably still work, to set ADDR_NO_RANDOMIZE, so I don't
really know where it is going off track yet.
Having implemented the randomization, I would like to see it work
correctly, so I guess I will look at it.
You seem to have a certain knack for uncovering obscure bugs.
David Daney
> =============================================================================
> h/unrandomize.h
> =============================================================================
> #include<sys/personality.h>
> #include<syscall.h>
> #include<unistd.h>
> #include<alloca.h>
> #include<errno.h>
>
>
> {
> errno=0;
>
> {
>
> long pers = personality(0xffffffffUL);
> if (pers==-1) {printf("personality failure %d\n",errno);exit(-1);}
> if (!(pers& ADDR_NO_RANDOMIZE)&& !getenv("GCL_UNRANDOMIZE")) {
> errno=0;
> if (personality(pers | ADDR_NO_RANDOMIZE) != -1&& personality(0xffffffffUL)& ADDR_NO_RANDOMIZE) {
> int i;
> char **n;
> for (i=0;envp[i];i++);
> n=alloca((i+2)*sizeof(*n));
> n[i+1]=0;
> n[i--]="GCL_UNRANDOMIZE=t";
> for (;i>=0;i--)
> n[i]=envp[i];
> #ifdef GCL_GPROF
> gprof_cleanup();
> #endif
> errno=0;
> execve(*argv,argv,n);
> printf("execve failure %d\n",errno);
> exit(-1);
> } else {
> printf("personality change failure %d\n",errno);
> exit(-1);
> }
> }
> }
> }
> =============================================================================
> f.c
> =============================================================================
> #include<stdio.h>
> void gprof_cleanup() {};
> int main(int argc,char * argv[],char * envp[]) {
> FILE *f;
>
> #include "h/unrandomize.h"
>
> if (!(f=fopen("conftest1","w"))) return -1;
> fprintf(f,"%u",sbrk(0));
> return 0;}
> =============================================================================
> ./f&& cat conftest1&& echo&& ./f&& cat conftest1
> 10043392
> 10584064
> =============================================================================
> strace -f ./f
> =============================================================================
> execve("./f", ["./f"], [/* 16 vars */]) = 0
> brk(0) = 0x7a4000
> old_mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b938000
> uname({sys="Linux", node="phrixos", ...}) = 0
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=16547, ...}) = 0
> old_mmap(NULL, 16547, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2b93c000
> close(3) = 0
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
> open("/lib/libc.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\10\0\1\0\0\0\24s\1\0004\0\0\0"..., 512) = 512
> lseek(3, 760, SEEK_SET) = 760
> read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0\22\0\0\0", 32) = 32
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1594664, ...}) = 0
> old_mmap(NULL, 1576560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b948000
> mprotect(0x2baac000, 49152, PROT_NONE) = 0
> old_mmap(0x2bab8000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x160000) = 0x2bab8000
> old_mmap(0x2bac8000, 3696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2bac8000
> close(3) = 0
> set_thread_area(0x2b940ad0) = 0
> mprotect(0x2bab8000, 49152, PROT_READ) = 0
> munmap(0x2b93c000, 16547) = 0
> personality(0xffffffff /* PER_??? */) = 0
> personality(0x40000 /* PER_??? */) = 0
> personality(0xffffffff /* PER_??? */) = 262144
> execve("./f", ["./f"], [/* 17 vars */]) = 0
> brk(0) = 0x670000
> old_mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ba70000
> uname({sys="Linux", node="phrixos", ...}) = 0
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=16547, ...}) = 0
> old_mmap(NULL, 16547, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2ba74000
> close(3) = 0
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
> open("/lib/libc.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\10\0\1\0\0\0\24s\1\0004\0\0\0"..., 512) = 512
> lseek(3, 760, SEEK_SET) = 760
> read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0\22\0\0\0", 32) = 32
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1594664, ...}) = 0
> old_mmap(NULL, 1576560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2ba80000
> mprotect(0x2bbe4000, 49152, PROT_NONE) = 0
> old_mmap(0x2bbf0000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x160000) = 0x2bbf0000
> old_mmap(0x2bc00000, 3696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2bc00000
> close(3) = 0
> set_thread_area(0x2ba78ad0) = 0
> mprotect(0x2bbf0000, 49152, PROT_READ) = 0
> munmap(0x2ba74000, 16547) = 0
> personality(0xffffffff /* PER_??? */) = 0
> brk(0) = 0x670000
> brk(0x694000) = 0x694000
> open("conftest1", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
> old_mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2bc04000
> write(3, "6897664", 7) = 7
> exit_group(0) = ?
> =============================================================================
> uname -a
> =============================================================================
> Linux phrixos 2.6.36-rc6-loongson-2f #1 Mon Oct 4 20:36:22 UTC 2010
> mips64 GNU/Linux
> =============================================================================
> /proc/cpuinfo
> =============================================================================
> system type : lemote-fuloong-2f-box
> processor : 0
> cpu model : ICT Loongson-2 V0.3 FPU V0.1
> BogoMIPS : 528.38
> wait instruction : yes
> microsecond timers : yes
> tlb_entries : 64
> extra interrupt vector : no
> hardware watchpoint : yes, count: 0, address/irw mask: []
> ASEs implemented :
> shadow register sets : 1
> core : 0
> VCED exceptions : not available
> VCEI exceptions : not available
> =============================================================================
>
> Take care,
next prev parent reply other threads:[~2010-11-01 18:06 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <E1OwbkA-0006gv-Bi@localhost.m.enhanced.com>
[not found] ` <4C93993E.7030008@caviumnetworks.com>
[not found] ` <8762y49k1k.fsf@maguirefamily.org>
[not found] ` <4C93D86D.5090201@caviumnetworks.com>
[not found] ` <87fwx4dwu5.fsf@maguirefamily.org>
[not found] ` <4C97D9A1.7050102@caviumnetworks.com>
[not found] ` <87lj6te9t1.fsf@maguirefamily.org>
[not found] ` <4C9A8BC9.1020605@caviumnetworks.com>
[not found] ` <4C9A9699.6080908@caviumnetworks.com>
[not found] ` <87pqvbs7oa.fsf@maguirefamily.org>
[not found] ` <4CB88D2C.8020900@caviumnetworks.com>
[not found] ` <87r5fksxby.fsf_-_@maguirefamily.org>
2010-10-20 16:38 ` recent SIGBUS/SIGSEGV mips kernel bug David Daney
2010-10-20 21:31 ` Camm Maguire
2010-10-21 16:19 ` David Daney
2010-10-21 16:32 ` Camm Maguire
2010-10-21 17:29 ` David Daney
2010-10-21 19:07 ` Camm Maguire
2010-10-25 20:11 ` Camm Maguire
2010-10-25 21:32 ` gdb for mips64 Camm Maguire
2010-10-25 21:45 ` David Daney
2010-10-26 12:47 ` Maciej W. Rozycki
2010-10-26 17:19 ` David Daney
2010-11-01 16:24 ` mips and ADDR_NO_RANDOMIZE Camm Maguire
2010-11-01 18:06 ` David Daney [this message]
2010-11-01 18:24 ` Camm Maguire
2010-10-26 14:47 ` gdb for mips64 Camm Maguire
2010-10-26 20:12 ` [Gcl-devel] " Camm Maguire
2010-10-28 10:50 ` Maciej W. Rozycki
2010-10-28 21:28 ` Camm Maguire
2010-10-29 7:47 ` Maciej W. Rozycki
2010-10-29 15:52 ` Camm Maguire
2010-10-30 12:39 ` Maciej W. Rozycki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CCF0197.2030407@caviumnetworks.com \
--to=ddaney@caviumnetworks.com \
--cc=aba@not.so.argh.org \
--cc=camm@maguirefamily.org \
--cc=debian-mips@lists.debian.org \
--cc=gcl-devel@gnu.org \
--cc=linux-mips@linux-mips.org \
--cc=macro@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.