Discussion:
[PATCH] powerpc: Fix Text randomization
Vineeth Vijayan
2014-10-10 05:45:26 UTC
Permalink
Right now there is no way to disable TEXT randomization on a PPC32
machine. text randomization happens even in the case of "echo 0 >
/proc/sys/kernel/randomize_va_space"

This happens due to the incorrect definition of ELF_ET_DYN_BASE at
arch/powerpc/include/asm/elf.h

Signed-off-by: Vineeth Vijayan <vvijayan at mvista.com>
---
Test details:

#include <stdio.h>

int main(int argc,char *argv)
{
printf("main = %p\n",main);
return 0;
}

Compile the same as position-independent executable

Results without Patch:

p5040ds:~# gcc test.c -o test -fPIE -pie
p5040ds:~# echo 2 > /proc/sys/kernel/randomize_va_space
p5040ds:~# ./test
main = 0xb7e9681c
p5040ds:~# ./test
main = 0xb7aba81c
p5040ds:~# ./test
main = 0xb7fac81c
p5040ds:~# ./test
main = 0xb7f4c81c
p5040ds:~# echo 0 > /proc/sys/kernel/randomize_va_space
p5040ds:~# ./test
main = 0x2010281c
p5040ds:~# ./test
main = 0x2018d81c
p5040ds:~# ./test
main = 0x206a981c
p5040ds:~# ./test
main = 0x2036681c


Results with Patch:

p5040ds:~# gcc test.c -o test -fPIE -pie
p5040ds:~#
p5040ds:~# echo 2 > /proc/sys/kernel/randomize_va_space
p5040ds:~#
p5040ds:~# ./test
main = 0xb78a581c
p5040ds:~# ./test
main = 0xb792c81c
p5040ds:~# ./test
main = 0xb79de81c
p5040ds:~# ./test
main = 0xb78ae81c
p5040ds:~# echo 0 > /proc/sys/kernel/randomize_va_space
p5040ds:~#
p5040ds:~# ./test
main = 0x2000081c
p5040ds:~# ./test
main = 0x2000081c
p5040ds:~# ./test
main = 0x2000081c
p5040ds:~# ./test
main = 0x2000081c


arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/elf.h | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 4bc7b62..f99ddae 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -88,6 +88,7 @@ config PPC
select ARCH_MIGHT_HAVE_PC_PARPORT
select ARCH_MIGHT_HAVE_PC_SERIO
select BINFMT_ELF
+ select ARCH_BINFMT_ELF_RANDOMIZE_PIE
select OF
select OF_EARLY_FLATTREE
select OF_RESERVED_MEM
diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h
index 888d8f3..162813b 100644
--- a/arch/powerpc/include/asm/elf.h
+++ b/arch/powerpc/include/asm/elf.h
@@ -29,7 +29,7 @@
that it will "exec", and that there is sufficient room for the brk. */

extern unsigned long randomize_et_dyn(unsigned long base);
-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
+#define ELF_ET_DYN_BASE (0x20000000)

#define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0)
--
1.7.9.5
Michael Ellerman
2014-10-15 02:08:11 UTC
Permalink
Post by Vineeth Vijayan
Right now there is no way to disable TEXT randomization on a PPC32
machine. text randomization happens even in the case of "echo 0 >
/proc/sys/kernel/randomize_va_space"
Yeah it seems to happen on ppc64 too.
Post by Vineeth Vijayan
This happens due to the incorrect definition of ELF_ET_DYN_BASE at
arch/powerpc/include/asm/elf.h
What is incorrect about it? We are not the only arch that does that.

I'm not clear on what has changed to break this?

cheers
Vineeth Vijayan
2014-10-15 06:38:29 UTC
Permalink
Post by Michael Ellerman
Post by Vineeth Vijayan
Right now there is no way to disable TEXT randomization on a PPC32
machine. text randomization happens even in the case of "echo 0 >
/proc/sys/kernel/randomize_va_space"
Yeah it seems to happen on ppc64 too.
Post by Vineeth Vijayan
This happens due to the incorrect definition of ELF_ET_DYN_BASE at
arch/powerpc/include/asm/elf.h
What is incorrect about it? We are not the only arch that does that.
I think we are one of the arch which does it.
The same has been tested on x86 and arm, where ELF_ET_DYN_BASE doesn’t
use randomize_et_dyn call, and it works properly as per the user-space
definition of randomization;

(i.e when at "echo 0 > /proc/sys/kernel/randomize_va_space", TEXT
randomization should not happen.)
Post by Michael Ellerman
I'm not clear on what has changed to break this?
cheers
Loading...