This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: relro support for MIPS


"C.Praveen" <c_praveen@yahoo.com> writes:
> Greetings,
>
> On the MIPS platform, I am experimenting with the relro option to defeat
> GOT overwrite attacks. This doesn't appear to be supported for MIPS, am
> I doing something wrong? This is what I do
>
>
> int spme1 ()
> {
> ÂÂÂ puts ("Called SPME 1\n");
> ÂÂÂ return 1;
> }
> int spme2 ()
> {
> ÂÂÂ puts ("Called SPME 2\n");
> return 2;
> }
> int spme3 ()
> {
> ÂÂÂ puts ("Called SPME 3\n");
> return 3;
> }
> ---------------------------------------------------------------------------------
>
> which I compile as
>
> mipsel-unknown-linux-gnu-gcc -c -fpic spme.c
>
> mipsel-unknown-linux-gnu-gcc -shared -o spme.so spme.o
>
> ----------------------
>
> My test program is
>
>
> #include <stdio.h>
> extern int spme1();
> extern int spme2();
> extern int spme3();
>
> void main (int argc, char *argv[])
> {
> ÂÂÂ int x;
> ÂÂÂ unsigned int *p;
>
> ÂÂÂ sscanf (argv[1], "%lx", &p);
>
> ÂÂÂ printf ("Addresses are %x %x %x\n", spme1, spme2, spme3);
> ÂÂÂ spme1 ();
> ÂÂÂ spme2 ();
> ÂÂÂ spme3 ();
>
> ÂÂÂ for (x = 0; x < 128 / 4; ++x)
> ÂÂÂ {
> ÂÂÂÂÂÂÂ if (*p == spme2 || *p == spme3)
> ÂÂÂÂÂÂÂÂÂÂÂ *p = spme1;
> ÂÂÂÂÂÂÂ ++p;
> ÂÂÂ }
>
> ÂÂÂ printf ("Addresses are %x %x %x\n", spme1, spme2, spme3);
> ÂÂÂ spme1 ();
> ÂÂÂ spme2 ();
> ÂÂÂ spme3 ();
>
> }
>
> -----------------------------------------------------------------------------
>
> I compile the above as mipsel-unknown-linux-gnu-gcc -Wl,-z,relro,-z,now
> test.c spme.so
>
> and the output is (I lookup GOT address from readelf -a and pass it as
> first argument)
>
> Addresses are 2aaf87d0 2aaf8830 2aaf8890
> Called SPME 1
>
> Called SPME 2
>
> Called SPME 3
>
> Addresses are 2aaf87d0 2aaf87d0 2aaf87d0
> Called SPME 1
>
> Called SPME 1
>
> Called SPME 1
>
> ---------------------------------------------------------------------------
>
> It appears that i was able to overwrite the GOT. Am I doing something
> wrong? Should I be doing something else to make the GOT readonly? Any
> information is highly appreciated!
>
> I can tell from the readelf output that the GNU_RELRO section was
> created but it doesn't contain the GOT. If this isn't supported on the
> MIPS platform, what are my options here? Maybe use a custom linker
> script that puts the GOT in a read-only area?

Yeah, that's probably the only way to do it with an out-of-the-box
version of binutils.  There is code to treat .got.plt as .rel.ro for
-znow, but .got itself.

Thanks,
Richard


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]