This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
relro support for MIPS
- From: "C.Praveen" <c_praveen at yahoo dot com>
- To: "binutils at sourceware dot org" <binutils at sourceware dot org>
- Date: Thu, 24 Jul 2014 11:07:12 -0700
- Subject: relro support for MIPS
- Authentication-results: sourceware.org; auth=none
- Reply-to: "C.Praveen" <c_praveen at yahoo dot com>
Greetings,
On the MIPS platform, I am experimenting with the relro option to defeat GOT overwrite attacks. This doesn't appear to be supported for MIPS, am I doing something wrong? This is what I do
--------------------------------- spme.c ---------------------------------
int spme1 ()
{
puts ("Called SPME 1\n");
return 1;
}
int spme2 ()
{
puts ("Called SPME 2\n");
return 2;
}
int spme3 ()
{
puts ("Called SPME 3\n");
return 3;
}
---------------------------------------------------------------------------------
which I compile as
mipsel-unknown-linux-gnu-gcc -c -fpic spme.c
mipsel-unknown-linux-gnu-gcc -shared -o spme.so spme.o
----------------------
My test program is
--------------------------------- test.c ------------------------------------
#include <stdio.h>
extern int spme1();
extern int spme2();
extern int spme3();
void main (int argc, char *argv[])
{
int x;
unsigned int *p;
sscanf (argv[1], "%lx", &p);
printf ("Addresses are %x %x %x\n", spme1, spme2, spme3);
spme1 ();
spme2 ();
spme3 ();
for (x = 0; x < 128 / 4; ++x)
{
if (*p == spme2 || *p == spme3)
*p = spme1;
++p;
}
printf ("Addresses are %x %x %x\n", spme1, spme2, spme3);
spme1 ();
spme2 ();
spme3 ();
}
-----------------------------------------------------------------------------
I compile the above as mipsel-unknown-linux-gnu-gcc -Wl,-z,relro,-z,now test.c spme.so
and the output is (I lookup GOT address from readelf -a and pass it as first argument)
Addresses are 2aaf87d0 2aaf8830 2aaf8890
Called SPME 1
Called SPME 2
Called SPME 3
Addresses are 2aaf87d0 2aaf87d0 2aaf87d0
Called SPME 1
Called SPME 1
Called SPME 1
---------------------------------------------------------------------------
It appears that i was able to overwrite the GOT. Am I doing something wrong? Should I be doing something else to make the GOT readonly? Any information is highly appreciated!
I can tell from the readelf output that the GNU_RELRO section was created but it doesn't contain the GOT. If this isn't supported on the MIPS platform, what are my options here? Maybe use a custom linker script that puts the GOT in a read-only area?
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x00400034 0x00400034 0x00120 0x00120 R E 0x4
INTERP 0x000154 0x00400154 0x00400154 0x0000d 0x0000d R 0x1
[Requesting program interpreter: /lib/ld.so.1]
REGINFO 0x000184 0x00400184 0x00400184 0x00018 0x00018 R 0x4
LOAD 0x000000 0x00400000 0x00400000 0x00d24 0x00d24 R E 0x10000
LOAD 0x000fec 0x00410fec 0x00410fec 0x0008c 0x000a4 RW 0x10000
DYNAMIC 0x00019c 0x0040019c 0x0040019c 0x000f0 0x000f0 RWE 0x4
NOTE 0x000164 0x00400164 0x00400164 0x00020 0x00020 R 0x4
GNU_RELRO 0x000fec 0x00410fec 0x00410fec 0x00014 0x00014 R 0x1
NULL 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .reginfo
03 .interp .note.ABI-tag .reginfo .dynamic .hash .dynsym .dynstr .gnu.version .gnu.version_r .init .text .MIPS.stubs .fini .rodata .eh_frame
04 .ctors .dtors .jcr .data .rld_map .got .sdata .bss
05 .dynamic
06 .note.ABI-tag
07 .ctors .dtors .jcr
08
Thanks much for any help!
Praveen