touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #48051
[Bug 1407622] [NEW] RELRO is not read-only on PowerLE (binutils)
You have been subscribed to a public bug:
== Comment: #0 - PAVAMAN SUBRAMANIYAM <pavsubra@xxxxxxxxxx> - 2015-01-05 01:29:11 ==
---Problem Description---
RELRO is not read-only on PowerLE (binutils)
Contact Information = pavsubra@xxxxxxxxxx
---uname output---
Linux ubuntu 3.16.0-28-generic #38-Ubuntu SMP Fri Dec 12 17:39:43 UTC 2014 ppc64le ppc64le ppc64le GNU/Linux
Machine Type = P8
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Install a Ubuntu 15.04 PPC64 LE ISO as a guest VM on Power KVM host.
Then try building and executing the below mentioned RELRO test case.
root@ubuntu:~# cat relro.c
#include <stdio.h>
void *const foo = &stdout;
int main (void)
{
*(void **) &foo = &stderr;
return 0;
}
root@ubuntu:~# gcc -Wl,-z,relro relro.c
root@ubuntu:~# bash checkrelro.sh --file a.out
a.out - partial RELRO
root@ubuntu:~# ./a.out
root@ubuntu:~# echo $?
0
(pasess, should segfault)
The reproducer Looks like GOT is not read-only.
Userspace tool common name: binutils
The userspace tool has the following bit modes: 64-bit
Userspace rpm: binutils2.25-2ubuntu1
Userspace tool obtained from project website: na
*Additional Instructions for pavsubra@xxxxxxxxxx:
-Post a private note with access information to the machine that the bug is occuring on.
-Attach ltrace and strace of userspace application.
== Comment: #3 - PAVAMAN SUBRAMANIYAM <pavsubra@xxxxxxxxxx> - 2015-01-05 01:33:21 ==
Adding output of readelf -Wa of the relro binary
root@ubuntu:~# readelf -Wa a.out
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: PowerPC64
Version: 0x1
Entry point address: 0x10000410
Start of program headers: 64 (bytes into file)
Start of section headers: 6776 (bytes into file)
Flags: 0x2, abiv2
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 8
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 26
Section Headers:
[Nr] Name Type Address Off Size ES Flg Lk Inf Al
[ 0] NULL 0000000000000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 0000000010000200 000200 000011 00 A 0 0 1
[ 2] .note.ABI-tag NOTE 0000000010000214 000214 000020 00 A 0 0 4
[ 3] .note.gnu.build-id NOTE 0000000010000234 000234 000024 00 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0000000010000258 000258 00001c 00 A 5 0 8
[ 5] .dynsym DYNSYM 0000000010000278 000278 000078 18 A 6 1 8
[ 6] .dynstr STRTAB 00000000100002f0 0002f0 000045 00 A 0 0 1
[ 7] .gnu.version VERSYM 0000000010000336 000336 00000a 02 A 5 0 2
[ 8] .gnu.version_r VERNEED 0000000010000340 000340 000020 00 A 6 1 8
[ 9] .rela.dyn RELA 0000000010000360 000360 000048 18 A 5 0 8
[10] .rela.plt RELA 00000000100003a8 0003a8 000018 18 AI 5 23 8
[11] .init PROGBITS 00000000100003c0 0003c0 00003c 00 AX 0 0 4
[12] .text PROGBITS 0000000010000400 000400 000384 00 AX 0 0 32
[13] .fini PROGBITS 0000000010000784 000784 000024 00 AX 0 0 4
[14] .rodata PROGBITS 00000000100007a8 0007a8 000024 00 A 0 0 8
[15] .eh_frame PROGBITS 00000000100007cc 0007cc 00004c 00 A 0 0 4
[16] .init_array INIT_ARRAY 0000000010010df0 000df0 000008 00 WA 0 0 8
[17] .fini_array FINI_ARRAY 0000000010010df8 000df8 000008 00 WA 0 0 8
[18] .jcr PROGBITS 0000000010010e00 000e00 000008 00 WA 0 0 8
[19] .data.rel.ro PROGBITS 0000000010010e08 000e08 000008 00 WA 0 0 8
[20] .dynamic DYNAMIC 0000000010010e10 000e10 0001f0 10 WA 6 0 8
[21] .data PROGBITS 0000000010011000 001000 000010 00 WA 0 0 8
[22] .got PROGBITS 0000000010011010 001010 000038 08 WA 0 0 8
[23] .plt NOBITS 0000000010011048 001048 000018 08 WA 0 0 8
[24] .bss NOBITS 0000000010011060 001048 000008 00 WA 0 0 1
[25] .comment PROGBITS 0000000000000000 001048 000048 01 MS 0 0 1
[26] .shstrtab STRTAB 0000000000000000 001090 0000fe 00 0 0 1
[27] .symtab SYMTAB 0000000000000000 001190 000660 18 28 46 8
[28] .strtab STRTAB 0000000000000000 0017f0 000281 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000040 0x0000000010000040 0x0000000010000040 0x0001c0 0x0001c0 R E 0x8
INTERP 0x000200 0x0000000010000200 0x0000000010000200 0x000011 0x000011 R 0x1
[Requesting program interpreter: /lib64/ld64.so.2]
LOAD 0x000000 0x0000000010000000 0x0000000010000000 0x000818 0x000818 R E 0x10000
LOAD 0x000df0 0x0000000010010df0 0x0000000010010df0 0x000258 0x000278 RW 0x10000
DYNAMIC 0x000e10 0x0000000010010e10 0x0000000010010e10 0x0001f0 0x0001f0 RW 0x8
NOTE 0x000214 0x0000000010000214 0x0000000010000214 0x000044 0x000044 R 0x4
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10
GNU_RELRO 0x000df0 0x0000000010010df0 0x0000000010010df0 0x000210 0x000210 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .text .fini .rodata .eh_frame
03 .init_array .fini_array .jcr .data.rel.ro .dynamic .data .got .plt .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06
07 .init_array .fini_array .jcr .data.rel.ro .dynamic
Dynamic section at offset 0xe10 contains 26 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x100003c0
0x000000000000000d (FINI) 0x10000784
0x0000000000000019 (INIT_ARRAY) 0x10010df0
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x10010df8
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x10000258
0x0000000000000005 (STRTAB) 0x100002f0
0x0000000000000006 (SYMTAB) 0x10000278
0x000000000000000a (STRSZ) 69 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x10011048
0x0000000000000002 (PLTRELSZ) 24 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x100003a8
0x0000000070000000 (PPC64_GLINK) 0x10000760
0x0000000070000003 (PPC64_OPT) 0x0
0x0000000000000007 (RELA) 0x10000360
0x0000000000000008 (RELASZ) 72 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffe (VERNEED) 0x10000340
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x10000336
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x360 contains 3 entries:
Offset Info Type Symbol's Value Symbol's Name + Addend
0000000010010e08 0000000300000026 R_PPC64_ADDR64 0000000000000000 stdout + 0
0000000010011018 0000000400000026 R_PPC64_ADDR64 0000000000000000 __gmon_start__ + 0
0000000010011040 0000000100000026 R_PPC64_ADDR64 0000000000000000 stderr + 0
Relocation section '.rela.plt' at offset 0x3a8 contains 1 entries:
Offset Info Type Symbol's Value Symbol's Name + Addend
0000000010011058 0000000200000015 R_PPC64_JMP_SLOT 0000000000000000 __libc_start_main + 0
The decoding of unwind sections for machine type PowerPC64 is not
currently supported.
Symbol table '.dynsym' contains 5 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND stderr@GLIBC_2.17 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.17 (2)
3: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND stdout@GLIBC_2.17 (2)
4: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
Symbol table '.symtab' contains 68 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000010000200 0 SECTION LOCAL DEFAULT 1
2: 0000000010000214 0 SECTION LOCAL DEFAULT 2
3: 0000000010000234 0 SECTION LOCAL DEFAULT 3
4: 0000000010000258 0 SECTION LOCAL DEFAULT 4
5: 0000000010000278 0 SECTION LOCAL DEFAULT 5
6: 00000000100002f0 0 SECTION LOCAL DEFAULT 6
7: 0000000010000336 0 SECTION LOCAL DEFAULT 7
8: 0000000010000340 0 SECTION LOCAL DEFAULT 8
9: 0000000010000360 0 SECTION LOCAL DEFAULT 9
10: 00000000100003a8 0 SECTION LOCAL DEFAULT 10
11: 00000000100003c0 0 SECTION LOCAL DEFAULT 11
12: 0000000010000400 0 SECTION LOCAL DEFAULT 12
13: 0000000010000784 0 SECTION LOCAL DEFAULT 13
14: 00000000100007a8 0 SECTION LOCAL DEFAULT 14
15: 00000000100007cc 0 SECTION LOCAL DEFAULT 15
16: 0000000010010df0 0 SECTION LOCAL DEFAULT 16
17: 0000000010010df8 0 SECTION LOCAL DEFAULT 17
18: 0000000010010e00 0 SECTION LOCAL DEFAULT 18
19: 0000000010010e08 0 SECTION LOCAL DEFAULT 19
20: 0000000010010e10 0 SECTION LOCAL DEFAULT 20
21: 0000000010011000 0 SECTION LOCAL DEFAULT 21
22: 0000000010011010 0 SECTION LOCAL DEFAULT 22
23: 0000000010011048 0 SECTION LOCAL DEFAULT 23
24: 0000000010011060 0 SECTION LOCAL DEFAULT 24
25: 0000000000000000 0 SECTION LOCAL DEFAULT 25
26: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
27: 0000000010010e00 0 OBJECT LOCAL DEFAULT 18 __JCR_LIST__
28: 0000000010000460 0 FUNC LOCAL DEFAULT [<localentry>: 8] 12 deregister_tm_clones
29: 00000000100004d0 0 FUNC LOCAL DEFAULT [<localentry>: 8] 12 register_tm_clones
30: 0000000010000540 0 FUNC LOCAL DEFAULT [<localentry>: 8] 12 __do_global_dtors_aux
31: 0000000010011060 1 OBJECT LOCAL DEFAULT 24 completed.8817
32: 0000000010010df8 0 OBJECT LOCAL DEFAULT 17 __do_global_dtors_aux_fini_array_entry
33: 0000000010000590 0 FUNC LOCAL DEFAULT [<localentry>: 8] 12 frame_dummy
34: 0000000010010df0 0 OBJECT LOCAL DEFAULT 16 __frame_dummy_init_array_entry
35: 0000000000000000 0 FILE LOCAL DEFAULT ABS relro.c
36: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
37: 0000000010000814 0 OBJECT LOCAL DEFAULT 15 __FRAME_END__
38: 0000000010010e00 0 OBJECT LOCAL DEFAULT 18 __JCR_END__
39: 0000000000000000 0 FILE LOCAL DEFAULT ABS
40: 0000000010000748 0 NOTYPE LOCAL DEFAULT 12 __glink_PLTresolve
41: 0000000010010df8 0 NOTYPE LOCAL DEFAULT 16 __init_array_end
42: 0000000010000400 0 NOTYPE LOCAL DEFAULT 12 00000017.plt_call.__libc_start_main@@GLIBC_2.17
43: 0000000010010e10 0 OBJECT LOCAL DEFAULT 20 _DYNAMIC
44: 0000000010010df0 0 NOTYPE LOCAL DEFAULT 16 __init_array_start
45: 0000000010019010 0 OBJECT LOCAL DEFAULT 22 .TOC.
46: 0000000010000730 16 FUNC GLOBAL DEFAULT 12 __libc_csu_fini
47: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTable
48: 0000000010011000 0 NOTYPE WEAK DEFAULT 21 data_start
49: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND stderr@@GLIBC_2.17
50: 0000000010011048 0 NOTYPE GLOBAL DEFAULT 22 _edata
51: 0000000010000784 0 FUNC GLOBAL DEFAULT [<localentry>: 8] 13 _fini
52: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_2.17
53: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND stdout@@GLIBC_2.17
54: 0000000010011000 0 NOTYPE GLOBAL DEFAULT 21 __data_start
55: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
56: 0000000010011008 0 OBJECT GLOBAL HIDDEN 21 __dso_handle
57: 00000000100007c8 4 OBJECT GLOBAL DEFAULT 14 _IO_stdin_used
58: 0000000010000650 212 FUNC GLOBAL DEFAULT [<localentry>: 8] 12 __libc_csu_init
59: 0000000010010e08 8 OBJECT GLOBAL DEFAULT 19 foo
60: 0000000010011068 0 NOTYPE GLOBAL DEFAULT 24 _end
61: 0000000010000410 68 FUNC GLOBAL DEFAULT [<localentry>: 8] 12 _start
62: 0000000010011048 0 NOTYPE GLOBAL DEFAULT 23 __bss_start
63: 0000000010000600 72 FUNC GLOBAL DEFAULT [<localentry>: 8] 12 main
64: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
65: 0000000010011010 0 OBJECT GLOBAL HIDDEN 22 __TMC_END__
66: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
67: 00000000100003c0 0 FUNC GLOBAL DEFAULT [<localentry>: 8] 11 _init
Version symbols section '.gnu.version' contains 5 entries:
Addr: 0000000010000336 Offset: 0x000336 Link: 5 (.dynsym)
000: 0 (*local*) 2 (GLIBC_2.17) 2 (GLIBC_2.17) 2 (GLIBC_2.17)
004: 0 (*local*)
Version needs section '.gnu.version_r' contains 1 entries:
Addr: 0x0000000010000340 Offset: 0x000340 Link: 6 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 1
0x0010: Name: GLIBC_2.17 Flags: none Version: 2
Displaying notes found at file offset 0x00000214 with length 0x00000020:
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 2.6.32
Displaying notes found at file offset 0x00000234 with length 0x00000024:
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
Build ID: 073bde628552e31631eb5430466cfc541a5bf52c
== Comment: #4 - PAVAMAN SUBRAMANIYAM <pavsubra@xxxxxxxxxx> - 2015-01-05 01:42:05 ==
The problem is, if linker does not set the alignment correctly, 'start' and 'end' will be equal and thus not protected. And this is happening on Ubuntu 14.04 due the fact its uses default binutils elf{32,64}-ppc.c ELF_COMMONPAGESIZE to align it to 4k instead of 64k.
There is a recent patch on binutils-dev maillist [1] to change the
default for 64k and Fedora rawride (along with RHEL) already sets it [2]
in its binutils.spec spec:
# On ppc64 and aarch64, we might use 64KiB pages
sed -i -e '/#define.*ELF_COMMONPAGESIZE/s/0x1000$/0x10000/' bfd/elf*ppc.c
sed -i -e '/#define.*ELF_COMMONPAGESIZE/s/0x1000$/0x10000/' bfd/elf*aarch64.c
Ubuntu for powerpc64le should do the same.
[1] https://sourceware.org/ml/binutils/2014-12/msg00165.html
** Affects: binutils (Ubuntu)
Importance: Undecided
Status: New
** Tags: architecture-ppc64le bot-comment bugnameltc-119945 severity-critical targetmilestone-inin1504
--
RELRO is not read-only on PowerLE (binutils)
https://bugs.launchpad.net/bugs/1407622
You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu.