linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Alexey Izbyshev <izbyshev@ispras.ru>
To: Dmitry Safonov <dsafonov@virtuozzo.com>,
	Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>,
	Cyrill Gorcunov <gorcunov@openvz.org>,
	Borislav Petkov <bp@suse.de>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Alexander Monakov <amonakov@ispras.ru>,
	linux-mm@kvack.org
Subject: [4.11 Regression] 64-bit process gets AT_BASE in the first 4 GB if exec'ed from 32-bit process
Date: Thu, 17 May 2018 23:16:31 +0300	[thread overview]
Message-ID: <82328ad006ebacb399d04d638f8dad4a@ispras.ru> (raw)

Hello everyone,

I've discovered the following strange behavior of a 4.15.13-based kernel 
(bisected to
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b028f784e8c341e762c264f70dc0ca1418c8b7a 
between 4.11-rc2 and -rc3 thanks to Alexander Monakov).

I've reported it as 
"https://bugzilla.kernel.org/show_bug.cgi?id=199739".

$ cat wrap.c
#include <unistd.h>

int main(int argc, char *argv[]) {
   execvp(argv[1], &argv[1]);
   return 127;
}

$ gcc wrap.c -o wrap
$ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE
AT_BASE:         0x7f63b8309000
AT_BASE:         0x7faec143c000
AT_BASE:         0x7fbdb25fa000

$ gcc -m32 wrap.c -o wrap32
$ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE
AT_BASE:         0xf7eff000
AT_BASE:         0xf7cee000
AT_BASE:         0x7f8b9774e000

On kernels before the referenced commit the second AT_BASE is at the 
same range as the third one.

The consequences:

1) It breaks ASAN

$ gcc -fsanitize=address wrap.c -o wrap-asan
$ ./wrap32 ./wrap-asan true
==1217==Shadow memory range interleaves with an existing memory mapping. 
ASan cannot proceed correctly. ABORTING.
==1217==ASan shadow was supposed to be located in the 
[0x00007fff7000-0x10007fff7fff] range.
==1217==Process memory map follows:
         0x000000400000-0x000000401000   
/home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
         0x000000600000-0x000000601000   
/home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
         0x000000601000-0x000000602000   
/home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
         0x0000f7dbd000-0x0000f7de2000   /lib64/ld-2.27.so
         0x0000f7fe2000-0x0000f7fe3000   /lib64/ld-2.27.so
         0x0000f7fe3000-0x0000f7fe4000   /lib64/ld-2.27.so
         0x0000f7fe4000-0x0000f7fe5000
         0x7fed9abff000-0x7fed9af54000
         0x7fed9af54000-0x7fed9af6b000   /lib64/libgcc_s.so.1
[snip]

2) It doesn't seem to be great for security if an attacker always knows 
that ld.so is going to be mapped into the first 4GB in this case (the 
same thing happens for PIEs as well).

Am I right that this is not the intended behavior?

-Alexey

             reply	other threads:[~2018-05-17 20:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-17 20:16 Alexey Izbyshev [this message]
2018-05-17 20:46 ` [4.11 Regression] 64-bit process gets AT_BASE in the first 4 GB if exec'ed from 32-bit process Andy Lutomirski
2018-05-17 20:50   ` Dmitry Safonov
2018-05-17 21:07     ` Andy Lutomirski
2018-05-17 21:11       ` Dmitry Safonov
2018-05-17 21:19         ` Alexey Izbyshev
2018-05-17 20:53   ` Alexander Monakov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=82328ad006ebacb399d04d638f8dad4a@ispras.ru \
    --to=izbyshev@ispras.ru \
    --cc=amonakov@ispras.ru \
    --cc=bp@suse.de \
    --cc=dsafonov@virtuozzo.com \
    --cc=gorcunov@openvz.org \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).