This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/20857] New: ld.so --verify is unreliable for position-dependent executables
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 23 Nov 2016 10:25:15 +0000
- Subject: [Bug dynamic-link/20857] New: ld.so --verify is unreliable for position-dependent executables
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20857
Bug ID: 20857
Summary: ld.so --verify is unreliable for position-dependent
executables
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security-
ld.so --verify on this program crashes (when compiled on x86_64):
char buffer[3ULL << 45];
int main (void)
{
}
Before running the following command, enable unlimited memory overcommit with
vm.overcommit_memory=1.
$ gdb --args /lib64/ld-linux-x86-64.so.2 ./a.out
…
(gdb) r
Starting program: /usr/lib64/ld-linux-x86-64.so.2 ./a.out
Program received signal SIGSEGV, Segmentation fault.
0x000055555556d4ba in mmap64 () at ../sysdeps/unix/syscall-template.S:84
84 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) disas
Dump of assembler code for function mmap64:
0x000055555556d4b0 <+0>: add %al,(%rax)
0x000055555556d4b2 <+2>: add %al,(%rax)
0x000055555556d4b4 <+4>: add %al,(%rax)
0x000055555556d4b6 <+6>: add %al,(%rax)
0x000055555556d4b8 <+8>: add %al,(%rax)
=> 0x000055555556d4ba <+10>: add %al,(%rax)
0x000055555556d4bc <+12>: add %al,(%rax)
0x000055555556d4be <+14>: add %al,(%rax)
0x000055555556d4c0 <+16>: add %al,(%rax)
0x000055555556d4c2 <+18>: add %al,(%rax)
0x000055555556d4c4 <+20>: add %al,(%rax)
0x000055555556d4c6 <+22>: add %al,(%rax)
0x000055555556d4c8 <+24>: add %al,(%rax)
0x000055555556d4ca <+26>: add %al,(%rax)
0x000055555556d4cc <+28>: add %al,(%rax)
0x000055555556d4ce <+30>: add %al,(%rax)
0x000055555556d4d0 <+32>: add %al,(%rax)
0x000055555556d4d2 <+34>: add %al,(%rax)
End of assembler dump.
(gdb)
The opcodes correspond to NUL bytes, so the mmap system call stub itself has
been over-mapped.
Due to ASLR, this can happen randomly with much smaller executables.
--
You are receiving this mail because:
You are on the CC list for the bug.