Summary: | binutils-2.18 on hardened produces PT_GNU_RELRO with filesize > memsize | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Guillaume Castagnino <casta> |
Component: | Hardened | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hardened, pageexec |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://sourceware.org/bugzilla/show_bug.cgi?id=5037 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Guillaume Castagnino
2007-09-15 09:06:39 UTC
Here is what I get when not using binutils-2.18 (I'm on .17) hardened ~ # paxctl -v /usr/sbin/apache2 PaX control v0.4 Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [/usr/sbin/apache2] RANDEXEC is disabled EMUTRAMP is disabled hardened ~ # qlist -vUSe apache www-servers/apache-2.2.6 2 (ssl) hardened ~ # scanelf -a /usr/sbin/apache2 TYPE PAX STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- RW- R-- RW- - - NOW /usr/sbin/apache2 hardened ~ # ld -v GNU ld version 2.17 I confirm this : after downgrading binutils to 2.17 and recompiling apache-2.2.6, the problem disappears : # readelf -l /usr/sbin/apache2 Type de fichier ELF est DYN (fichier objet partagé) Point d'entrée 0x1a630 Il y a 10 en-têtes de programme, débutant à l'adresse de décalage52 En-têtes de programme: Type Décalage Adr. vir. Adr.phys. T.Fich. T.Mém. Fan Alignement PHDR 0x000034 0x00000034 0x00000034 0x00140 0x00140 R E 0x4 INTERP 0x000174 0x00000174 0x00000174 0x00013 0x00013 R 0x1 [Réquisition de l'interpréteur de programme: /lib/ld-linux.so.2] LOAD 0x000000 0x00000000 0x00000000 0x5b5f4 0x5b5f4 R E 0x1000 LOAD 0x05bcfc 0x0005ccfc 0x0005ccfc 0x0255c 0x053b4 RW 0x1000 DYNAMIC 0x05c888 0x0005d888 0x0005d888 0x00170 0x00170 RW 0x4 NOTE 0x000188 0x00000188 0x00000188 0x00020 0x00020 R 0x4 GNU_EH_FRAME 0x05b57c 0x0005b57c 0x0005b57c 0x0001c 0x0001c R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x05bcfc 0x0005ccfc 0x0005ccfc 0x012ec 0x012ec R 0x20 PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4 Section à la projection de segement: Sections de segment... 00 01 .interp 02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03 .ctors .dtors .jcr .data.rel.ro .dynamic .got .data .bss 04 .dynamic 05 .note.ABI-tag 06 .eh_frame_hdr 07 08 .ctors .dtors .jcr .data.rel.ro .dynamic 09 # paxctl -v /usr/sbin/apache2 PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [/usr/sbin/apache2] RANDEXEC is disabled EMUTRAMP is disabled that error should really spit out p_type so there's no confusion when trying to index the PT table by hand ... the PT in question: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align GNU_RELRO 0x05dd14 0x0005ed14 0x0005ed14 0x012ec 0x012d4 R 0x1 the check: phdr[i].p_align && (~(phdr[i].p_align - 1) + phdr[i].p_align)) || (phdr[i].p_align && ((phdr[i].p_offset ^ phdr[i].p_vaddr) & (phdr[i].p_align - 1))) || phdr[i].p_vaddr + phdr[i].p_memsz < phdr[i].p_vaddr || phdr[i].p_offset + phdr[i].p_filesz < phdr[i].p_offset || phdr[i].p_offset + phdr[i].p_filesz > state->size || phdr[i].p_filesz > phdr[i].p_memsz Reassigning to toolchain@ This bug is reproducible simply by using binutils-2.18 and rebuilding apache. GNU_RELRO 0x05cdd4 0x0005ddd4 0x0005ddd4 0x01220 0x01208 R 0x1 the issue being that the program header has a filesize which is larger than the memsize ... i can only reproduce this on hardened though before the strip, it's correct: $ readelf -Wl scanelf | grep RELRO GNU_RELRO 0x0106d0 0x00000000002106d0 0x00000000002106d0 0x000930 0x000930 R 0x1 after the strip, not so much: $ strip scanelf $ readelf -Wl scanelf | grep RELRO GNU_RELRO 0x0106d0 0x00000000002106d0 0x00000000002106d0 0x000930 0x000928 R 0x1 hmm, i can reproduce on non-hardened using gcc-3.4.6 and -fPIE ... (In reply to comment #3) > that error should really spit out p_type so there's no confusion when trying to > index the PT table by hand ... problem is that the numerical value of p_type is of little help, and text representation needs BFD (i think, or rolling my own, which is even worse) which i intentionally didn't want as a dependency for paxctl (it wants to be a small self-contained utility ;). also, if you have multiple entries of the same type, your only unique identifier is really the index. last but not least, paxctl is not eu-elflint (i wonder what it says about this bad RELRO entry btw), so i'd rather not go overboard with these checks and error reporting. i think even just having the hex would be useful ... i have no problem looking up the PT defines in elf headers ... my gripe is that unless you look at the code, it's unclear whether the output counts from 0 or 1 ... as for doing number<->text bindings, you dont need BFD ... we do it in scanelf easily enough since the libc elf.h provides most of the PT defines you can follow the progress upstream ... there is already a patch to address a different bug which seems to also fix this ... the fix has been merged upstream and i'll put out binutils-2.18-r1 with this |