From: Vinay Kumar <vinay.m.engg@gmail.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org, carlos@redhat.com
Subject: Re: Thread stack and heap caches - CVE-2019-1010024
Date: Mon, 11 Nov 2019 16:26:46 +0530 [thread overview]
Message-ID: <CANUMPcU+av0cU7cW3KTTotNw6dUUzA5yeuJPrv-uSQajOYRr7w@mail.gmail.com> (raw)
In-Reply-To: <878sovvnef.fsf@oldenburg2.str.redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1151 bytes --]
Hi Florian,
>> Does this really change the randomization? Won't the kernel map the new
>> stack at a predictable address, too?
Yes, every time new address is assigned as shown in the below
iterations of output.
Also the attached patch "aslr_glibc.patch" adds glibc configuration
option "--with-aslr" to enable randomization.
Compilation command:
$x86_64-windriver-linux-gcc test.c -g -fpie -pie -Xlinker
-rpath=/home/x86_64-tc/prefix-aslr//x86_64-windriver-linux/lib
-Xlinker -I /home
/x86_64-tc/prefix-aslr/x86_64-windriver-linux/lib/ld-2.30.9000.so -w
-lpthread -o thread.out
Output:
Trial 1:
./thread.out
addr: 0x7f15252bfee0
value deadbeef
malloced 0x7f1520000f70
addr: 0x7f1524abeee0
value 0
malloced 0x7f1520000f70
Trial 2:
./thread.out
addr: 0x7f9091640ee0
value deadbeef
malloced 0x7f908c000f70
addr: 0x7f9090e3fee0
value 0
malloced 0x7f908c000f70
Trial 3:
./thread.out
addr: 0x7f0d923dfee0
value deadbeef
malloced 0x7f0d8c000f70
addr: 0x7f0d91bdeee0
value 0
malloced 0x7f0d8c000f70
Trial 4:
./thread.out
addr: 0x7f146d97dee0
value deadbeef
malloced 0x7f1468000f70
addr: 0x7f146d17cee0
value 0
malloced 0x7f1468000f70
Regards,
Vinay
[-- Attachment #2: aslr_glibc.patch --]
[-- Type: application/octet-stream, Size: 2654 bytes --]
diff --git a/config.h.in b/config.h.in
index 824dfe8..649833e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -255,6 +255,9 @@
/* PowerPC32 uses fctidz for floating point to long long conversions. */
#define HAVE_PPC_FCTIDZ 0
+/* Build glibc with ASLR enabled*/
+#define ASLR_ENABLE 0
+
/* Build glibc with tunables support. */
#define HAVE_TUNABLES 0
diff --git a/configure b/configure
index 2f44b66..f26d8bd 100755
--- a/configure
+++ b/configure
@@ -688,6 +688,7 @@ enable_timezone_tools
extra_nonshared_cflags
use_default_link
sysheaders
+with_aslr
ac_ct_CXX
CXXFLAGS
CXX
@@ -762,6 +763,7 @@ with_gd_include
with_gd_lib
with_binutils
with_selinux
+with_aslr
with_headers
with_default_link
with_nonshared_cflags
@@ -1482,6 +1484,7 @@ Optional Packages:
--with-gd-lib=DIR find libgd library files in DIR
--with-binutils=PATH specify location of binutils (as and ld)
--with-selinux if building with SELinux support
+ --with-aslr if building with ASLR support
--with-headers=PATH location of system headers to use (for example
/usr/src/linux/include) [default=compiler default]
--with-default-link do not use explicit linker scripts
@@ -3324,6 +3327,20 @@ else
fi
+# Check whether --with-aslr was given.
+if test "${with_aslr+set}" = set; then :
+ withval=$with_aslr; with_aslr=$withval
+else
+ with_aslr=auto
+fi
+
+
+if test "$with_aslr" = yes; then
+ $as_echo "#define ASLR_ENABLE 1" >>confdefs.h
+
+fi
+
+
# Check whether --with-headers was given.
if test "${with_headers+set}" = set; then :
diff --git a/configure.ac b/configure.ac
index e69c88c..74429b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -138,6 +138,16 @@ AC_ARG_WITH([selinux],
[if building with SELinux support]),
[with_selinux=$withval],
[with_selinux=auto])
+AC_ARG_WITH([aslr],
+ AC_HELP_STRING([--with-aslr],
+ [if building with ASLR support]),
+ [with_aslr=$withval],
+ [with_aslr=auto])
+AC_SUBST(with_aslr)
+if test "$with_aslr" = yes; then
+ AC_DEFINE(ASLR_ENABLE)
+fi
+
AC_ARG_WITH([headers],
AC_HELP_STRING([--with-headers=PATH],
diff --git a/nptl/allocatestack.c b/nptl/allocatestack.c
index 64a9ae6..11e5685 100644
--- a/nptl/allocatestack.c
+++ b/nptl/allocatestack.c
@@ -544,7 +544,9 @@ allocate_stack (const struct pthread_attr *attr, struct pthread **pdp,
/* Try to get a stack from the cache. */
reqsize = size;
+ #if !ASLR_ENABLE
pd = get_cached_stack (&size, &mem);
+ #endif
if (pd == NULL)
{
/* To avoid aliasing effects on a larger scale than pages we
next prev parent reply other threads:[~2019-11-11 10:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 11:09 Thread stack and heap caches - CVE-2019-1010024 Vinay Kumar
2019-11-04 12:25 ` Florian Weimer
2019-11-11 10:56 ` Vinay Kumar [this message]
2019-11-25 16:43 ` Vinay Kumar
2019-11-25 18:10 ` Florian Weimer
2019-11-25 18:29 ` Vinay Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANUMPcU+av0cU7cW3KTTotNw6dUUzA5yeuJPrv-uSQajOYRr7w@mail.gmail.com \
--to=vinay.m.engg@gmail.com \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).