This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/20857] New: ld.so --verify is unreliable for position-dependent executables

From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 23 Nov 2016 10:25:15 +0000
Subject: [Bug dynamic-link/20857] New: ld.so --verify is unreliable for position-dependent executables
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=20857

            Bug ID: 20857
           Summary: ld.so --verify is unreliable for position-dependent
                    executables
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security-

ld.so --verify on this program crashes (when compiled on x86_64):

char buffer[3ULL << 45];

int main (void)
{
}

Before running the following command, enable unlimited memory overcommit with
vm.overcommit_memory=1.

$ gdb --args /lib64/ld-linux-x86-64.so.2 ./a.out 
…
(gdb) r
Starting program: /usr/lib64/ld-linux-x86-64.so.2 ./a.out

Program received signal SIGSEGV, Segmentation fault.
0x000055555556d4ba in mmap64 () at ../sysdeps/unix/syscall-template.S:84
84      T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) disas
Dump of assembler code for function mmap64:
   0x000055555556d4b0 <+0>:     add    %al,(%rax)
   0x000055555556d4b2 <+2>:     add    %al,(%rax)
   0x000055555556d4b4 <+4>:     add    %al,(%rax)
   0x000055555556d4b6 <+6>:     add    %al,(%rax)
   0x000055555556d4b8 <+8>:     add    %al,(%rax)
=> 0x000055555556d4ba <+10>:    add    %al,(%rax)
   0x000055555556d4bc <+12>:    add    %al,(%rax)
   0x000055555556d4be <+14>:    add    %al,(%rax)
   0x000055555556d4c0 <+16>:    add    %al,(%rax)
   0x000055555556d4c2 <+18>:    add    %al,(%rax)
   0x000055555556d4c4 <+20>:    add    %al,(%rax)
   0x000055555556d4c6 <+22>:    add    %al,(%rax)
   0x000055555556d4c8 <+24>:    add    %al,(%rax)
   0x000055555556d4ca <+26>:    add    %al,(%rax)
   0x000055555556d4cc <+28>:    add    %al,(%rax)
   0x000055555556d4ce <+30>:    add    %al,(%rax)
   0x000055555556d4d0 <+32>:    add    %al,(%rax)
   0x000055555556d4d2 <+34>:    add    %al,(%rax)
End of assembler dump.
(gdb) 

The opcodes correspond to NUL bytes, so the mmap system call stub itself has
been over-mapped.

Due to ASLR, this can happen randomly with much smaller executables.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug dynamic-link/20857] ldd and ld.so --verify is unreliable for position-dependent executables
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]