This is the mail archive of the
libc-help@sourceware.org
mailing list for the glibc project.
Re: Disabling Consistency Checks
- From: Eric Neblock <c_eric at sbcglobal dot net>
- To: Paul Pluzhnikov <ppluzhnikov at gmail dot com>
- Cc: Carlos O'Donell <carlos at redhat dot com>, libc-help at sourceware dot org
- Date: Sat, 06 Dec 2014 14:45:15 -0600
- Subject: Re: Disabling Consistency Checks
- Authentication-results: sourceware.org; auth=none
- References: <547DD236 dot 5040700 at sbcglobal dot net> <547E82DA dot 6040202 at redhat dot com> <547F9F47 dot 1080403 at sbcglobal dot net> <CALoOobMSS2zMMETXmAe+KzC2PCLatux_gDVDr0ofWsRQ4sceVg at mail dot gmail dot com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/03/2014 07:11 PM, Paul Pluzhnikov wrote:
> On Wed, Dec 3, 2014 at 3:39 PM, Eric Neblock <c_eric@sbcglobal.net> wrote:
>
>> On 12/02/2014 09:26 PM, Carlos O'Donell wrote:
>>> On 12/02/2014 09:52 AM, Eric Neblock wrote:
>>>> Inconsistency detected by ld.so: ../elf/dl-runtime.c: 79: _dl_fixup:
>>>> Assertion `((reloc->r_info) & 0xffffffff) == 7' failed!
>>>
>>> This means you corrupted memory and the relocation for the PLT
>>> slot is not a PLT relocation.
>>>
> ...
>> I am using ptrace; however, the method I'm using is:
>>
>> ptrace(PTRACE_POKETEXT, PID, ADDR_TO_BREAK_AT, (ORIG_INSTRUCTION &
>> 0xFFFFFFFFFFFFFF00) | 0xCC)
>
> Since this corrupts PLT relocation, your method of finding out
> ADDR_TO_BREAK_AT is likely incorrect.
>
> You may want to disable ASLR, then print the ADDR_TO_BREAK_AT, then use GDB
> and find out what that address actually points to (gdb "info symbol 0xNNNN"
> command), as well is where the breakpoint should have been "break foo"
> then "info break".
>
>
Thanks! I completely forgot about return-to-libc attacks.
I'm actually doing this in a very hackish way. Instead of using BFD, I'm
calling `objdump`, feeding that into a pipe, and then reading the pipe
for "malloc@plt" or whatever function I need.
So when using gdb, everything matches to where it needs to be; however,
even after disabling ASLR, the same error still comes up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJUg2rbAAoJEKnJ+4MkCuMTJM4H/i7UaJ1okjm7xRkZGDfHpupY
HliP3bMXtsp97t+OETzESNNniRqEozFPrbfT3+iNwmLDvkeE7t1B8PyC+TuoWkvk
7uL2t5PTsasZvkfzC5stXGExxUUAs6hTXcDJ473MJQBjOdmtEGFSp08GMBds+tMR
GwG53uelnwnU/VC70kzoDVV2lW3QPKsenQeXlqwnQtYb+g4Aqlas8fTVxzTPl4C8
PkFt+dZ1NYsCWuTtjU3beNcLGchdx8trYY+kd7jp4Z2Z3YXF4VkqzI+LJbLbCwof
GdKAp0aXzPHmZdxisdWO3tdYnfPF5EfDiei5zUNsun4O5oFFNrL+OIIYCTePXAQ=
=g3zt
-----END PGP SIGNATURE-----