Using a gcc version 3.4.6 (Gentoo Hardened 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10) to compile nonstatic executables with glibc-2.5-r3 results in the __guard not being properly set up. When compiling and debugging static executables, the __guard is properly set up. Reproducible: Always Steps to Reproduce: 1.emerge -pv sys-libs/glibc-2.5-r3 2.compile a test program with gcc -fstack-protector-all (SSP setup unsuccessful) 3.compile a test program with gcc -static -fstack-protector-all (SSP setup successful) Actual Results: __guard = 0x0 when nonstatic executables run Expected Results: __guard = randomized value hardened chroot falcon ~ # cat ssp_entropy.c #include <stdio.h> extern unsigned long int __guard; int main(void) { printf("__guard: [[0x%x]]\n", __guard); while(1) { ; } return(0); } hardened chroot falcon ~ # cat Makefile all: gcc -nopie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy hardened chroot falcon ~ # gdb -quiet ./ssp_entropy Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x8048494: file ssp_entropy.c, line 5. (gdb) run Starting program: /root/ssp_entropy Breakpoint 1, main () at ssp_entropy.c:5 5 int main(void) { (gdb) disassemble main Dump of assembler code for function main: 0x08048478 <main+0>: push %ebp 0x08048479 <main+1>: mov %esp,%ebp 0x0804847b <main+3>: sub $0x28,%esp 0x0804847e <main+6>: and $0xfffffff0,%esp 0x08048481 <main+9>: mov $0x0,%eax 0x08048486 <main+14>: add $0xf,%eax 0x08048489 <main+17>: add $0xf,%eax 0x0804848c <main+20>: shr $0x4,%eax 0x0804848f <main+23>: shl $0x4,%eax 0x08048492 <main+26>: sub %eax,%esp 0x08048494 <main+28>: mov 0x804a00c,%eax 0x08048499 <main+33>: mov %eax,0xffffffe8(%ebp) 0x0804849c <main+36>: mov 0x804a00c,%eax 0x080484a1 <main+41>: mov %eax,0x4(%esp) 0x080484a5 <main+45>: movl $0x8048594,(%esp) 0x080484ac <main+52>: call 0x8048370 <printf@plt> 0x080484b1 <main+57>: jmp 0x80484b1 <main+57> End of assembler dump. interesting parts: 0x08048494 <main+28>: mov 0x804a00c,%eax 0x08048499 <main+33>: mov %eax,0xffffffe8(%ebp) (gdb) x/x 0x804a00c 0x804a00c <__guard@@GLIBC_2.3.2>: 0x00000000 this shows that the __guard is not setup the following test case resembles the static behaviour: hardened chroot falcon ~ # od -x /proc/self/auxv | grep dead && make 0000040 0011 0000 0064 0000 0018 0000 beef dead gcc -static -nopie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0xdeadbeef]] hardened chroot falcon ~ # gdb ./ssp_entropy GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x8048288: file ssp_entropy.c, line 5. (gdb) run Starting program: /root/ssp_entropy Breakpoint 1, main () at ssp_entropy.c:5 5 int main(void) { (gdb) disassemble main Dump of assembler code for function main: 0x0804826c <main+0>: push %ebp 0x0804826d <main+1>: mov %esp,%ebp 0x0804826f <main+3>: sub $0x28,%esp 0x08048272 <main+6>: and $0xfffffff0,%esp 0x08048275 <main+9>: mov $0x0,%eax 0x0804827a <main+14>: add $0xf,%eax 0x0804827d <main+17>: add $0xf,%eax 0x08048280 <main+20>: shr $0x4,%eax 0x08048283 <main+23>: shl $0x4,%eax 0x08048286 <main+26>: sub %eax,%esp 0x08048288 <main+28>: mov 0x80bcf10,%eax 0x0804828d <main+33>: mov %eax,0xffffffe8(%ebp) 0x08048290 <main+36>: mov 0x80bcf10,%eax 0x08048295 <main+41>: mov %eax,0x4(%esp) 0x08048299 <main+45>: movl $0x80a4ea8,(%esp) 0x080482a0 <main+52>: call 0x8048e40 <printf> 0x080482a5 <main+57>: jmp 0x80482a5 <main+57> End of assembler dump. (gdb) x/x 0x80bcf10 0x80bcf10 <__guard_local>: 0xdeadbeef (0xdeadbeef is a test value due to AT_ENTROPY testing) the same on amd64 without AT_ENTROPY: hardened32 chroot miranda ~ # emerge -pv glibc && rm ssp_entropy && CFLAGS="-static" make ssp_entropy && ./ssp_entropy These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-libs/glibc-2.5-r3 USE="hardened nls nptl -build -debug -glibc-compat20 -glibc-omitfp -multilib -nptlonly -profile (-selinux)" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB cc -static ssp_entropy.c -o ssp_entropy __guard: [[0x595545d4]] hardened32 chroot miranda ~ # emerge -pv glibc && rm ssp_entropy && CFLAGS="" make ssp_entropy && ./ssp_entropy These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-libs/glibc-2.5-r3 USE="hardened nls nptl -build -debug -glibc-compat20 -glibc-omitfp -multilib -nptlonly -profile (-selinux)" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB cc ssp_entropy.c -o ssp_entropy __guard: [[0x0]]
test case with a freshly unpacked stage: [ebuild R ] sys-libs/glibc-2.5-r3 USE="hardened nls nptl -build -debug -glibc-compat20 -glibc-omitfp -multilib -nptlonly -profile (-selinux)" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB gcc -static -nopie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0xde8c2c80]] gcc -nopie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0x0]] gcc -pie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0x0]] hardened32_2 chroot miranda ~ # behaviuor with old glibc: hardened32_2 chroot miranda ~ # cat hardened236.txt emerge -pv glibc These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild U ] sys-libs/glibc-2.5-r3 [2.3.6-r5] USE="hardened nls nptl* -build -debug% -glibc-compat20 -glibc-omitfp -multilib -nptlonly -profile (-selinux) (-erandom%)" 16,223 kB Total: 1 package (1 upgrade), Size of downloads: 16,223 kB gcc -static -nopie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0x785437c4]] gcc -nopie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0x3288e67f]] gcc -pie -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c ./ssp_entropy __guard: [[0x5a5050d8]]
adding toolchain
hardened32 chroot miranda ~ # emerge --info Portage 2.1.2.7 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r3, 2.6.20-hardened-r2 x86_64) ================================================================= System uname: 2.6.20-hardened-r2 x86_64 Dual Core AMD Opteron(tm) Processor 280 Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 15 Jun 2007 01:47:01 +0000 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.60 sys-devel/automake: 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg distclean distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X berkdb crypt gnome gtk hardened jpeg midi ncurses nls nptl pam pcmcia pic png python readline ssl tcpd tiff truetype urandom x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev mach64 mga nv s3 s3virge savage sis tga trident tseng v4l vesa vga vmware" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY hardened32_2 chroot miranda ~ # emerge --info Portage 2.1.2.2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r3, 2.6.20-hardened-r2 x86_64) ================================================================= System uname: 2.6.20-hardened-r2 x86_64 Dual Core AMD Opteron(tm) Processor 280 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 16 Jun 2007 01:47:01 +0000 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.60 sys-devel/automake: 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="berkdb crypt hardened midi nls nptl pam pic readline ssl tcpd urandom x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY hardened chroot falcon ~ # emerge --info Portage 2.1.2.7 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r3, 2.6.21-hardened-r3 i686) ================================================================= System uname: 2.6.21-hardened-r3 i686 Pentium III (Coppermine) Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 13 Jun 2007 01:47:01 +0000 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-mtune=i686 -O2 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="distclean distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/space/binpackages/tinderbox" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X berkdb crypt gnome gtk hardened jpeg midi ncurses nls nptl pam pcmcia pic png python readline ssl tcpd tiff truetype urandom x86 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev mach64 mga nv s3 s3virge savage sis tga trident tseng v4l vesa vga vmware" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
debugging yields that __guard_local is properly setup, which means the code in elf/rtld.c works as expected: 1841 /* Set up the stack checker's canary. */ 1842 uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (); 1843 #ifdef ENABLE_OLD_SSP_COMPAT 1844 __guard_local = stack_chk_guard; 1845 #endif 1846 #ifdef THREAD_SET_STACK_GUARD 1847 THREAD_SET_STACK_GUARD (stack_chk_guard); 1848 #else 1849 __stack_chk_guard = stack_chk_guard; 1850 #endif 1851 1852 /* Set up the pointer guard as well, if necessary. */ 1853 if (GLRO(dl_pointer_guard)) the line numbers are working in the gdb session: -- session 1 BEGIN-- (gdb) dl_main (phdr=0x8048034, phnum=9, user_entry=0xffdb2140) at ../sysdeps/unix/sysv/linux/dl-osinfo.h:171 171 if (reslen == (ssize_t) sizeof (ret)) (gdb) 0xf7f2e662 171 if (reslen == (ssize_t) sizeof (ret)) (gdb) 0xf7f2e67a 178 p[sizeof (ret) - 2] = '\n'; (gdb) 1844 __guard_local = stack_chk_guard; (gdb) 1847 THREAD_SET_STACK_GUARD (stack_chk_guard); (gdb) where #0 dl_main (phdr=0x8048034, phnum=9, user_entry=0xffdb2140) at rtld.c:1847 #1 0xf7f3ed6a in _dl_sysdep_start (start_argptr=0x0, dl_main=0xf7f2dbf0 <dl_main>) at ../elf/dl-sysdep.c:239 #2 0xf7f2d9d0 in _dl_start (arg=0xffdb21d0) at rtld.c:328 #3 0xf7f2c8c7 in _start () at rtld.c:612 -- session 1 END -- -- session 2 BEGIN -- (gdb) until 1844 dl_main (phdr=0x8048034, phnum=9, user_entry=0xff9bf140) at rtld.c:1844 1844 __guard_local = stack_chk_guard; (gdb) where #0 dl_main (phdr=0x8048034, phnum=9, user_entry=0xff9bf140) at rtld.c:1844 #1 0xf7fe2d6a in _dl_sysdep_start (start_argptr=0x0, dl_main=0xf7fd1bf0 <dl_main>) at ../elf/dl-sysdep.c:239 #2 0xf7fd19d0 in _dl_start (arg=0xff9bf1d0) at rtld.c:328 #3 0xf7fd08c7 in _start () at rtld.c:612 (gdb) info reg eax 0x0 0 ecx 0xc9cdb0e 211606286 edx 0xf7feafbc -134303812 ebx 0xf7feafbc -134303812 esp 0xff9bed18 0xff9bed18 ebp 0xff9bf128 0xff9bf128 esi 0x4 4 edi 0x6 6 eip 0xf7fd2680 0xf7fd2680 <dl_main+2704> eflags 0x246 [ PF ZF IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 (gdb) x/xi 0xf7fd2680 this is the code equivalent to __guard_local = stack_chk_guard 0xf7fd2680 <dl_main+2704>: mov %ecx,0xfffffeec(%ebx) this is the THREAD_SET_STACK_GUARD macro putting the value into TLS 0xf7fd2686 <dl_main+2710>: mov %ecx,%gs:0x14 0xf7fd268d <dl_main+2717>: mov 0xfffffd00(%ebx),%edi (gdb) x/xi $eip 0xf7fd2680 <dl_main+2704>: mov %ecx,0xfffffeec(%ebx) (gdb) 0xf7fd2686 <dl_main+2710>: mov %ecx,%gs:0x14 (gdb) 0xf7fd268d <dl_main+2717>: mov 0xfffffd00(%ebx),%edi now we inspect the memory (gdb) x/x 0xfffffeec+0xf7feafbc 0xf7feaea8 <__guard_local>: 0x00000000 (gdb) 0xf7feaeac <__pointer_chk_guard_local>: 0x00000000 (gdb) 0xf7feaeb0 <load_time>: 0x0002bfbe now we step into the instruction that sets up __guard_local (gdb) stepi this is the next instruction waiting (the other instruction was executed now) 1847 THREAD_SET_STACK_GUARD (stack_chk_guard); the EIP points to the next instruction waiting for execution (gdb) x/xi $eip 0xf7fd2686 <dl_main+2710>: mov %ecx,%gs:0x14 (gdb) 0xf7fd268d <dl_main+2717>: mov 0xfffffd00(%ebx),%edi (gdb) x/xi $eip-4 0xf7fd2682 <dl_main+2706>: in (%dx),%al (gdb) x/xi $eip-8 0xf7fd267e <dl_main+2702>: (bad) (gdb) x/xi $eip 0xf7fd2686 <dl_main+2710>: mov %ecx,%gs:0x14 (gdb) 0xf7fd268d <dl_main+2717>: mov 0xfffffd00(%ebx),%edi Inspect the memory location again (gdb) x/x 0xfffffeec+0xf7feafbc 0xf7feaea8 <__guard_local>: 0x0c9cdb0e (gdb) the value in %ecx was the value in stack_chk_guard, it's now in __guard_local (gdb) continue Continuing. __guard: [[0x0]] Program received signal SIGTSTP, Stopped (user). main () at ssp_entropy.c:7 7 while(1) { ; } (gdb) x/x 0xfffffeec+0xf7feafbc 0xf7feaea8 <__guard_local>: 0x0c9cdb0e -- session 2 END -- the __guard_local is still initialized with the SSP value generated in _dl_setup_stack_chk_guard () but the __guard shows as 0x0 it can also be shown that the SSP setup in the main function actually uses the value 0x0 for setting up the guard consisting of 0x0: -- session 3 BEGIN -- (gdb) break dl_main Function "dl_main" not defined. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (dl_main) pending. (gdb) until 1844 The program is not running. (gdb) run Starting program: /root/ssp_entropy Breakpoint 2 at 0xf7f63bf6: file rtld.c, line 869. Pending breakpoint "dl_main" resolved Breakpoint 2, dl_main (phdr=0x8048034, phnum=9, user_entry=0xff86d140) at rtld.c:869 869 void *tcbp = NULL; (gdb) until 1844 dl_main (phdr=0x8048034, phnum=9, user_entry=0xff86d140) at rtld.c:1844 1844 __guard_local = stack_chk_guard; (gdb) info reg eax 0x0 0 ecx 0x1ae5055d 451216733 edx 0xf7f7cfbc -134754372 ebx 0xf7f7cfbc -134754372 esp 0xff86cd18 0xff86cd18 ebp 0xff86d128 0xff86d128 esi 0x4 4 edi 0x6 6 eip 0xf7f64680 0xf7f64680 <dl_main+2704> eflags 0x246 [ PF ZF IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 (gdb) x/xi $eip 0xf7f64680 <dl_main+2704>: mov %ecx,0xfffffeec(%ebx) (gdb) 0xf7f64686 <dl_main+2710>: mov %ecx,%gs:0x14 (gdb) x/x 0xfffffeec + 0xf7f7cfbc 0xf7f7cea8 <__guard_local>: 0x00000000 (gdb) stepi 1847 THREAD_SET_STACK_GUARD (stack_chk_guard); (gdb) x/x 0xfffffeec + 0xf7f7cfbc 0xf7f7cea8 <__guard_local>: 0x1ae5055d (gdb) break main Breakpoint 3 at 0x8048494: file ssp_entropy.c, line 5. (gdb) continue Continuing. Breakpoint 3, main () at ssp_entropy.c:5 5 int main(void) { (gdb) disassemble main Dump of assembler code for function main: 0x08048478 <main+0>: push %ebp 0x08048479 <main+1>: mov %esp,%ebp 0x0804847b <main+3>: sub $0x28,%esp 0x0804847e <main+6>: and $0xfffffff0,%esp 0x08048481 <main+9>: mov $0x0,%eax 0x08048486 <main+14>: add $0xf,%eax 0x08048489 <main+17>: add $0xf,%eax 0x0804848c <main+20>: shr $0x4,%eax 0x0804848f <main+23>: shl $0x4,%eax 0x08048492 <main+26>: sub %eax,%esp 0x08048494 <main+28>: mov 0x804a00c,%eax 0x08048499 <main+33>: mov %eax,0xffffffe8(%ebp) 0x0804849c <main+36>: mov 0x804a00c,%eax 0x080484a1 <main+41>: mov %eax,0x4(%esp) 0x080484a5 <main+45>: movl $0x8048594,(%esp) 0x080484ac <main+52>: call 0x8048370 <printf@plt> 0x080484b1 <main+57>: jmp 0x80484b1 <main+57> End of assembler dump. (gdb) x/x 0xfffffeec + 0xf7f7cfbc 0xf7f7cea8 <__guard_local>: 0x1ae5055d (gdb) x/x 0x804a00c 0x804a00c <__guard@@GLIBC_2.3.2>: 0x00000000 -- session 3 END -- It seems that "__guard@@GLIBC_2.3.2" is containing 0x0 even though __guard_local is properly set up in elf/rtld.c by the dynamic linker. The compiler instrumenting SSP needs the symbol "__guard@@GLIBC_2.3.2" for setting up the SSP canary in the function stack frame. Alex
changing the title
added CC on request
as far as i understand it, pipacs blames the copy reloc... irc log: 18:51 <pipacs> ok 18:52 <pipacs> i read the problem but i don't see where the problem is, really 18:52 <pipacs> you're putting a variable into a library and have a copy reloc for it in the main exe 18:52 <pipacs> except the copy reloc is applied before the original variable is initialized 18:53 <pipacs> and for some reason, whenever the original is initialized, it doesn't write to the copy in the main exe (which should have overriden the original in the library) 19:07 <pipacs> yes for "pax_get_random_long() is okay for setting up AT_ENTROPY or not?" 19:31 -!- pipacs [theowl@r00tworld.com] has quit []
more eyes see more
adding on request of solar
you cant have aliases to data due to COPY relocs on some architectures ... this is a known issue which binutils guys say is not a bug we should add some test cases for ssp i think to glibc
if a strong_alias instead of weak_alias does not help, then we omit __guard_local completely and set up __guard directy
I think somebody should post a solution to this problem. Alex
the possible solutions are in #11
well, there is a third one, I recently began using it like this in some other places make __guard_local static, and try if weak_alias or strong_alias works, which alias works, could depend on arch
pretty interesting... this bug lingers for almost 4 months in bugzilla now. apparently toolchain@gentoo.org (and hardened) isn't really interested in solving this issue *shrug*
dont go closing bugs that are not verified fixed
it was closed WONTFIX so do you have anything to say about me closing a bug i opened because you are apparently unable to fix it for more than 3months? -Alex
due to missing support from toolchain over the months: closing WONTFIX
open your own bug and work on it if you want. i'm done with toolchain.
reopening for hardened-glibc
the plan is to provide a custom glibc or a new hardened-glibc that is independent from the development "behaviour" of toolchain and our hardened project
i'm not interested in your bullshit there is a bug in sys-libs/glibc and that is what this bug is about ... what you do in your experimental is irrelevant i'll open a new bug report which wont include your pointless trashing
reopening on behalf of gxs project
gxslibc is in the tree using the test case from the bug yields the following results: static executable: 0x08048233 <main+11>: mov %esp,%ebp 0x08048235 <main+13>: push %ecx 0x08048236 <main+14>: sub $0x14,%esp 0x08048239 <main+17>: mov %gs:0x14,%eax 0x0804823f <main+23>: mov %eax,-0x8(%ebp) 0x08048242 <main+26>: xor %eax,%eax 0x08048244 <main+28>: mov 0x80bc4a4,%eax 0x08048249 <main+33>: sub $0x8,%esp 0x0804824c <main+36>: push %eax 0x0804824d <main+37>: push $0x80a0768 0x08048252 <main+42>: call 0x8048d10 <__printf> 0x08048257 <main+47>: add $0x10,%esp 0x0804825a <main+50>: jmp 0x804825a <main+50> End of assembler dump. (gdb) x/8x 0x80bc4a4 0x80bc4a4 <__guard>: 0xd98fdcc7 0x080bc54c 0xfffd624c 0x00000000 0x80bc4b4 <__stack_prot>: 0x01000000 0xffffffff 0x00000000 0x080bdff4 (gdb) x/4x 0x80bc4a4 0x80bc4a4 <__guard>: 0xd98fdcc7 0x080bc54c 0xfffd624c 0x00000000 (gdb) x/1x 0x80bc4a4 0x80bc4a4 <__guard>: 0xd98fdcc7 (gdb) continue Continuing. __guard: [[0xd98fdcc7]] dynamically linked executable: TMPFS chroot001 miranda ~ # gcc -g -ggdb -fstack-protector-all -o ssp ssp.c && paxctl -pemsrvx ./ssp && gdb -quiet ssp PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [./ssp] RANDEXEC is disabled EMUTRAMP is disabled Using host libthread_db library "/lib/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x80483f5: file ssp.c, line 6. (gdb) run Starting program: /root/ssp Breakpoint 1, main () at ssp.c:6 6 int main(void) { (gdb) disassemble main Dump of assembler code for function main: 0x080483e4 <main+0>: lea 0x4(%esp),%ecx 0x080483e8 <main+4>: and $0xfffffff0,%esp 0x080483eb <main+7>: pushl -0x4(%ecx) 0x080483ee <main+10>: push %ebp 0x080483ef <main+11>: mov %esp,%ebp 0x080483f1 <main+13>: push %ecx 0x080483f2 <main+14>: sub $0x14,%esp 0x080483f5 <main+17>: mov %gs:0x14,%eax 0x080483fb <main+23>: mov %eax,-0x8(%ebp) 0x080483fe <main+26>: xor %eax,%eax 0x08048400 <main+28>: mov 0x8049614,%eax 0x08048405 <main+33>: sub $0x8,%esp 0x08048408 <main+36>: push %eax 0x08048409 <main+37>: push $0x80484f8 0x0804840e <main+42>: call 0x804831c <printf@plt> 0x08048413 <main+47>: add $0x10,%esp 0x08048416 <main+50>: jmp 0x8048416 <main+50> End of assembler dump. (gdb) (gdb) x/x 0x8049614 0x8049614 <__guard@@GLIBC_2.3.2>: 0x6c54457d (gdb) continue Continuing. __guard: [[0x6c54457d]] TMPFS chroot001 miranda ~ # emerge --info Portage 2.1.2.2 (gxs/linux/x86/2008.0/server, gcc-4.1.1, gxslibc-2.6.1-r2, 2.6.24-hardened-r2 i686) ================================================================= System uname: 2.6.24-hardened-r2 i686 Dual Core AMD Opteron(tm) Processor 280 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 17 May 2008 01:45:03 +0000 i am satisfied with these results, thanks for the commitment and the cooperation of the Gentoo developers helping with this solution.
(In reply to comment #24) Hi pappy, couldn't this be ported to glibc (patch used in accordance to the hardened useflag)? Thanks for your work :)