From: Solar Designer <solar@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] [RFC] x86, mm: start mmap allocation for libs from low addresses
Date: Fri, 12 Aug 2011 14:58:24 +0400 [thread overview]
Message-ID: <20110812105824.GA7141@openwall.com> (raw)
In-Reply-To: <20110812102954.GA3496@albatros>
Vasiliy,
On Fri, Aug 12, 2011 at 02:29:54PM +0400, Vasiliy Kulikov wrote:
> This patch changes mmap base address allocator logic to incline to
> allocate addresses from the first 16 Mbs of address space. These
> addresses start from zero byte (0x00AABBCC). Using such addresses
> breaks ret2libc exploits abusing string buffer overflows. As library
> addresses contain zero byte, addresses of library functions may not
> present in the string, which is used to overflow the buffer. As a
> result, it makes it impossible to change the return address on the stack
> to the address of some library function (e.g. system(3)).
JFYI, this statement is too strong. It is usually possible to pass such
addresses because the string does terminate with a NUL and this NUL gets
written. C string based overflows where the terminating NUL is somehow
not written are uncommon (in fact, I don't recall any). However,
requiring NUL as the most significant byte of a 32-bit address achieves
two things:
1. The overflow length has to be inferred/guessed exactly, because only
one NUL may be written. Simply using a repeated pattern (with function
address and arguments) no longer works.
2. Passing function arguments in the straightforward manner no longer
works, because copying stops after the NUL. The attacker's best bet may
be to find an entry point not at function boundary that sets registers
and then proceeds with or branches to the desired library code. The
easiest way to set registers and branch would be a function epilogue -
pop/pop/.../ret - but then there's the difficulty in passing the address
to ret to (we have just one NUL and we've already used it to get to this
code). Similarly, even via such pop's we can't pass an argument that
contains a NUL in it - e.g., the address of "/bin/sh" in libc (it
contains a NUL most significant byte too) or a zero value for root's
uid. A possible bypass is via multiple overflows - if the overflow may
be triggered more than once before the vulnerable function returns, then
multiple NULs may be written, exactly one per overflow. But this is
hopefully relatively rare.
Overall, this does make exploits harder and less reliable, just not in
the exact sense of making it impossible to point the return address at
libc.
Alexander
next prev parent reply other threads:[~2011-08-12 10:58 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-12 10:29 [RFC] x86, mm: start mmap allocation for libs from low addresses Vasiliy Kulikov
2011-08-12 10:29 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-12 10:29 ` Vasiliy Kulikov
2011-08-12 10:58 ` Solar Designer [this message]
2011-08-12 11:05 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-25 17:19 ` Vasiliy Kulikov
2011-08-25 17:39 ` Solar Designer
2011-09-02 18:29 ` Solar Designer
2011-09-03 11:18 ` Vasiliy Kulikov
2011-09-03 23:57 ` Solar Designer
2011-09-05 12:46 ` Vasiliy Kulikov
2011-09-06 5:05 ` Solar Designer
2011-09-07 9:09 ` Vasiliy Kulikov
2011-09-07 9:30 ` Solar Designer
2011-09-07 9:34 ` Vasiliy Kulikov
2011-09-07 9:43 ` Solar Designer
2011-09-07 9:55 ` Vasiliy Kulikov
2011-09-07 10:16 ` Solar Designer
2011-09-07 11:01 ` Vasiliy Kulikov
2011-09-02 23:34 ` Solar Designer
2011-09-03 12:12 ` Vasiliy Kulikov
2011-09-03 23:40 ` Solar Designer
2011-09-04 7:21 ` Vasiliy Kulikov
2011-08-12 23:19 ` H. Peter Anvin
2011-08-12 23:19 ` [kernel-hardening] " H. Peter Anvin
2011-08-12 23:19 ` H. Peter Anvin
2011-08-13 6:26 ` Vasiliy Kulikov
2011-08-13 6:26 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-13 6:26 ` Vasiliy Kulikov
2011-08-16 9:05 ` Vasiliy Kulikov
2011-08-16 9:05 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-16 9:05 ` Vasiliy Kulikov
2011-08-22 10:17 ` Vasiliy Kulikov
2011-08-22 10:17 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-22 10:17 ` Vasiliy Kulikov
2011-08-22 17:24 ` H. Peter Anvin
2011-08-22 17:24 ` [kernel-hardening] " H. Peter Anvin
2011-08-22 17:24 ` H. Peter Anvin
2011-08-22 20:14 ` Vasiliy Kulikov
2011-08-22 20:14 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-22 20:14 ` Vasiliy Kulikov
2011-08-22 20:17 ` H. Peter Anvin
2011-08-22 20:17 ` [kernel-hardening] " H. Peter Anvin
2011-08-22 20:17 ` H. Peter Anvin
2011-08-23 6:41 ` Vasiliy Kulikov
2011-08-23 6:41 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-23 6:41 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110812105824.GA7141@openwall.com \
--to=solar@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.