This is the mail archive of the libc-help@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Possibly a bug in glibc around the getrandom(2) implementation.

From: Marcin Mielniczuk <marmistrz dot dev at zoho dot eu>
To: Carlos O'Donell <carlos at redhat dot com>, libc-help at sourceware dot org
Date: Mon, 17 Jul 2017 12:20:40 +0200
Subject: Re: Possibly a bug in glibc around the getrandom(2) implementation.
Authentication-results: sourceware.org; auth=none
References: <00dbbfa7-05ce-9d3f-d32b-e519c8c0dfc3@zoho.eu> <9e927d7f-b914-4f14-0a09-900bc7169d7c@redhat.com> <20ead7b8-7797-c73d-b0c3-6fbf4999fe58@zoho.eu> <6a6dc337-cc61-5300-b051-d4b69c1a32f6@redhat.com>

I decided to start printing the rsp to the stdout, in the following way:
                    register unsigned long rsp asm("rsp");
                    printf("rsp is %p\n", (void*) rsp);

This time, it appeared that the regions are completely contained in thestack but the stack pointer is totally out of the stack, because it'salways: 0x7ffc6fbc5700. In the dumped memory map:

7ffd21f80000-7ffd21fa1000 rw-p 00000000 00:000 [stack]

while the buffers are 7ffd21f9[c910-d2d0] and 7ffd21f9[c1a0-cb60]. Andeven after removing the printf, the buffers are completely inside thestack. I don't know why they previously weren't.

On the other hand, it appears that any file descriptor operation (butnot printing the rsp!! this changes nothing) magically "fixes" the bug.I discovered it while doing `system("cat /proc/<PID>/maps")`, but it'senough to do a successful `open` or `socket` call

Successful, that's important. Opening a nonexistent file is no fix!

I managed to attach gdb using the following trick:

                    register unsigned long rsp asm("rsp");
                    printf("rsp is %p\n", (void*) rsp);
                    if (n == 1) {
                        kill(pid, SIGSTOP);
                        ptrace(PTRACE_DETACH, pid, 0, 0);
                    }

                    n++;

While the std output was:

        getrandom request: 0x00007fa6516d49a0 0x00007fa6516d49b8
        rsp is 0x7fff6a96fd60
        getrandom request: 0x00007ffe70e43e90 0x00007ffe70e44850
        rsp is 0x7fff6a96fd60

the gdb reported a lower stack pointer:

        rsp            0x7ffe70e436b8    0x7ffe70e436b8

It's lower than our buffer address, which is ok. Looks like somethingelse is smashing the stack...


On 14.07.2017 17:24, Carlos O'Donell wrote:

On 07/14/2017 11:04 AM, Marcin Mielniczuk wrote:

On the other hand, the error I'm experiencing happens only if I'm
overwriting memory with PTRACE_POKEUSER and gdb won't load a
scriptable file with a shebang. Should I simply print the RSP
register in my C utility before overwriting the buffer?

That is a good idea. Likewise you can try to reduce your problem to
something you _can_ debug, for example if you can deatch your tracer
and leave the program in a loop, then you can attach gdb and inspect
the state.

Follow-Ups:
- Re: Possibly a bug in glibc around the getrandom(2) implementation.
  - From: Florian Weimer

References:
- Possibly a bug in glibc around the getrandom(2) implementation.
  - From: Marcin Mielniczuk
- Re: Possibly a bug in glibc around the getrandom(2) implementation.
  - From: Carlos O'Donell
- Re: Possibly a bug in glibc around the getrandom(2) implementation.
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]