Re: Thread stack and heap caches - CVE-2019-1010024

[Vinay Kumar <vinay.m.engg@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1151 bytes --]

Hi Florian,

>> Does this really change the randomization?  Won't the kernel map the new
>> stack at a predictable address, too?

Yes, every time new address is assigned as shown in the below
iterations of output.
Also the attached patch "aslr_glibc.patch" adds glibc configuration
option "--with-aslr" to enable randomization.

Compilation command:
$x86_64-windriver-linux-gcc test.c -g -fpie -pie -Xlinker
-rpath=/home/x86_64-tc/prefix-aslr//x86_64-windriver-linux/lib
-Xlinker -I /home
/x86_64-tc/prefix-aslr/x86_64-windriver-linux/lib/ld-2.30.9000.so -w
-lpthread -o thread.out

Output:

Trial 1:
./thread.out
addr: 0x7f15252bfee0
value deadbeef
malloced 0x7f1520000f70
addr: 0x7f1524abeee0
value 0
malloced 0x7f1520000f70

Trial 2:
./thread.out
addr: 0x7f9091640ee0
value deadbeef
malloced 0x7f908c000f70
addr: 0x7f9090e3fee0
value 0
malloced 0x7f908c000f70

Trial 3:
./thread.out
addr: 0x7f0d923dfee0
value deadbeef
malloced 0x7f0d8c000f70
addr: 0x7f0d91bdeee0
value 0
malloced 0x7f0d8c000f70

Trial 4:
./thread.out
addr: 0x7f146d97dee0
value deadbeef
malloced 0x7f1468000f70
addr: 0x7f146d17cee0
value 0
malloced 0x7f1468000f70

Regards,
Vinay

[-- Attachment #2: aslr_glibc.patch --]
[-- Type: application/octet-stream, Size: 2654 bytes --]

diff --git a/config.h.in b/config.h.in
index 824dfe8..649833e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -255,6 +255,9 @@
 /* PowerPC32 uses fctidz for floating point to long long conversions.  */
 #define HAVE_PPC_FCTIDZ 0
 
+/* Build glibc with ASLR enabled*/
+#define ASLR_ENABLE 0
+
 /* Build glibc with tunables support.  */
 #define HAVE_TUNABLES 0
 
diff --git a/configure b/configure
index 2f44b66..f26d8bd 100755
--- a/configure
+++ b/configure
@@ -688,6 +688,7 @@ enable_timezone_tools
 extra_nonshared_cflags
 use_default_link
 sysheaders
+with_aslr
 ac_ct_CXX
 CXXFLAGS
 CXX
@@ -762,6 +763,7 @@ with_gd_include
 with_gd_lib
 with_binutils
 with_selinux
+with_aslr
 with_headers
 with_default_link
 with_nonshared_cflags
@@ -1482,6 +1484,7 @@ Optional Packages:
   --with-gd-lib=DIR       find libgd library files in DIR
   --with-binutils=PATH    specify location of binutils (as and ld)
   --with-selinux          if building with SELinux support
+  --with-aslr             if building with ASLR support
   --with-headers=PATH     location of system headers to use (for example
                           /usr/src/linux/include) [default=compiler default]
   --with-default-link     do not use explicit linker scripts
@@ -3324,6 +3327,20 @@ else
 fi
 
 
+# Check whether --with-aslr was given.
+if test "${with_aslr+set}" = set; then :
+  withval=$with_aslr; with_aslr=$withval
+else
+  with_aslr=auto
+fi
+
+
+if test "$with_aslr" = yes; then
+  $as_echo "#define ASLR_ENABLE 1" >>confdefs.h
+
+fi
+
+
 
 # Check whether --with-headers was given.
 if test "${with_headers+set}" = set; then :
diff --git a/configure.ac b/configure.ac
index e69c88c..74429b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -138,6 +138,16 @@ AC_ARG_WITH([selinux],
 			   [if building with SELinux support]),
 	    [with_selinux=$withval],
 	    [with_selinux=auto])
+AC_ARG_WITH([aslr],
+	    AC_HELP_STRING([--with-aslr],
+			   [if building with ASLR support]),
+	    [with_aslr=$withval],
+	    [with_aslr=auto])
+AC_SUBST(with_aslr)
+if test "$with_aslr" = yes; then
+  AC_DEFINE(ASLR_ENABLE)
+fi
+
 
 AC_ARG_WITH([headers],
 	    AC_HELP_STRING([--with-headers=PATH],
diff --git a/nptl/allocatestack.c b/nptl/allocatestack.c
index 64a9ae6..11e5685 100644
--- a/nptl/allocatestack.c
+++ b/nptl/allocatestack.c
@@ -544,7 +544,9 @@ allocate_stack (const struct pthread_attr *attr, struct pthread **pdp,
 
       /* Try to get a stack from the cache.  */
       reqsize = size;
+      #if !ASLR_ENABLE	
       pd = get_cached_stack (&size, &mem);
+      #endif 	
       if (pd == NULL)
 	{
 	  /* To avoid aliasing effects on a larger scale than pages we