← Back to team overview

touch-packages team mailing list archive

[Bug 1407622] [NEW] RELRO is not read-only on PowerLE (binutils)

 

You have been subscribed to a public bug:

== Comment: #0 - PAVAMAN SUBRAMANIYAM <pavsubra@xxxxxxxxxx> - 2015-01-05 01:29:11 ==
---Problem Description---
RELRO is not read-only on PowerLE (binutils)
 
Contact Information = pavsubra@xxxxxxxxxx 
 
---uname output---
Linux ubuntu 3.16.0-28-generic #38-Ubuntu SMP Fri Dec 12 17:39:43 UTC 2014 ppc64le ppc64le ppc64le GNU/Linux
 
Machine Type = P8 
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
Install a Ubuntu 15.04 PPC64 LE ISO as a guest VM on Power KVM host.
Then try building and executing the below mentioned RELRO test case.

root@ubuntu:~# cat relro.c
#include <stdio.h>

void *const foo = &stdout;

int main (void)
{
  *(void **) &foo = &stderr;
  return 0;
}

root@ubuntu:~# gcc -Wl,-z,relro relro.c
root@ubuntu:~# bash checkrelro.sh --file a.out
a.out - partial RELRO

root@ubuntu:~# ./a.out
root@ubuntu:~# echo $?
0
(pasess, should segfault)

The reproducer Looks like GOT is not read-only.

 
Userspace tool common name: binutils 
 
The userspace tool has the following bit modes: 64-bit 

Userspace rpm: binutils2.25-2ubuntu1

Userspace tool obtained from project website:  na 
 
*Additional Instructions for pavsubra@xxxxxxxxxx: 
-Post a private note with access information to the machine that the bug is occuring on.
-Attach ltrace and strace of userspace application.

== Comment: #3 - PAVAMAN SUBRAMANIYAM <pavsubra@xxxxxxxxxx> - 2015-01-05 01:33:21 ==
Adding output of readelf -Wa of the relro binary

root@ubuntu:~# readelf -Wa a.out
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           PowerPC64
  Version:                           0x1
  Entry point address:               0x10000410
  Start of program headers:          64 (bytes into file)
  Start of section headers:          6776 (bytes into file)
  Flags:                             0x2, abiv2
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         8
  Size of section headers:           64 (bytes)
  Number of section headers:         29
  Section header string table index: 26

Section Headers:
  [Nr] Name              Type            Address          Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            0000000000000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        0000000010000200 000200 000011 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            0000000010000214 000214 000020 00   A  0   0  4
  [ 3] .note.gnu.build-id NOTE            0000000010000234 000234 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        0000000010000258 000258 00001c 00   A  5   0  8
  [ 5] .dynsym           DYNSYM          0000000010000278 000278 000078 18   A  6   1  8
  [ 6] .dynstr           STRTAB          00000000100002f0 0002f0 000045 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          0000000010000336 000336 00000a 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         0000000010000340 000340 000020 00   A  6   1  8
  [ 9] .rela.dyn         RELA            0000000010000360 000360 000048 18   A  5   0  8
  [10] .rela.plt         RELA            00000000100003a8 0003a8 000018 18  AI  5  23  8
  [11] .init             PROGBITS        00000000100003c0 0003c0 00003c 00  AX  0   0  4
  [12] .text             PROGBITS        0000000010000400 000400 000384 00  AX  0   0 32
  [13] .fini             PROGBITS        0000000010000784 000784 000024 00  AX  0   0  4
  [14] .rodata           PROGBITS        00000000100007a8 0007a8 000024 00   A  0   0  8
  [15] .eh_frame         PROGBITS        00000000100007cc 0007cc 00004c 00   A  0   0  4
  [16] .init_array       INIT_ARRAY      0000000010010df0 000df0 000008 00  WA  0   0  8
  [17] .fini_array       FINI_ARRAY      0000000010010df8 000df8 000008 00  WA  0   0  8
  [18] .jcr              PROGBITS        0000000010010e00 000e00 000008 00  WA  0   0  8
  [19] .data.rel.ro      PROGBITS        0000000010010e08 000e08 000008 00  WA  0   0  8
  [20] .dynamic          DYNAMIC         0000000010010e10 000e10 0001f0 10  WA  6   0  8
  [21] .data             PROGBITS        0000000010011000 001000 000010 00  WA  0   0  8
  [22] .got              PROGBITS        0000000010011010 001010 000038 08  WA  0   0  8
  [23] .plt              NOBITS          0000000010011048 001048 000018 08  WA  0   0  8
  [24] .bss              NOBITS          0000000010011060 001048 000008 00  WA  0   0  1
  [25] .comment          PROGBITS        0000000000000000 001048 000048 01  MS  0   0  1
  [26] .shstrtab         STRTAB          0000000000000000 001090 0000fe 00      0   0  1
  [27] .symtab           SYMTAB          0000000000000000 001190 000660 18     28  46  8
  [28] .strtab           STRTAB          0000000000000000 0017f0 000281 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000010000040 0x0000000010000040 0x0001c0 0x0001c0 R E 0x8
  INTERP         0x000200 0x0000000010000200 0x0000000010000200 0x000011 0x000011 R   0x1
      [Requesting program interpreter: /lib64/ld64.so.2]
  LOAD           0x000000 0x0000000010000000 0x0000000010000000 0x000818 0x000818 R E 0x10000
  LOAD           0x000df0 0x0000000010010df0 0x0000000010010df0 0x000258 0x000278 RW  0x10000
  DYNAMIC        0x000e10 0x0000000010010e10 0x0000000010010e10 0x0001f0 0x0001f0 RW  0x8
  NOTE           0x000214 0x0000000010000214 0x0000000010000214 0x000044 0x000044 R   0x4
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
  GNU_RELRO      0x000df0 0x0000000010010df0 0x0000000010010df0 0x000210 0x000210 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .text .fini .rodata .eh_frame
   03     .init_array .fini_array .jcr .data.rel.ro .dynamic .data .got .plt .bss
   04     .dynamic
   05     .note.ABI-tag .note.gnu.build-id
   06
   07     .init_array .fini_array .jcr .data.rel.ro .dynamic

Dynamic section at offset 0xe10 contains 26 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x000000000000000c (INIT)               0x100003c0
 0x000000000000000d (FINI)               0x10000784
 0x0000000000000019 (INIT_ARRAY)         0x10010df0
 0x000000000000001b (INIT_ARRAYSZ)       8 (bytes)
 0x000000000000001a (FINI_ARRAY)         0x10010df8
 0x000000000000001c (FINI_ARRAYSZ)       8 (bytes)
 0x000000006ffffef5 (GNU_HASH)           0x10000258
 0x0000000000000005 (STRTAB)             0x100002f0
 0x0000000000000006 (SYMTAB)             0x10000278
 0x000000000000000a (STRSZ)              69 (bytes)
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000015 (DEBUG)              0x0
 0x0000000000000003 (PLTGOT)             0x10011048
 0x0000000000000002 (PLTRELSZ)           24 (bytes)
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000017 (JMPREL)             0x100003a8
 0x0000000070000000 (PPC64_GLINK)        0x10000760
 0x0000000070000003 (PPC64_OPT)          0x0
 0x0000000000000007 (RELA)               0x10000360
 0x0000000000000008 (RELASZ)             72 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x000000006ffffffe (VERNEED)            0x10000340
 0x000000006fffffff (VERNEEDNUM)         1
 0x000000006ffffff0 (VERSYM)             0x10000336
 0x0000000000000000 (NULL)               0x0

Relocation section '.rela.dyn' at offset 0x360 contains 3 entries:
    Offset             Info             Type               Symbol's Value  Symbol's Name + Addend
0000000010010e08  0000000300000026 R_PPC64_ADDR64         0000000000000000 stdout + 0
0000000010011018  0000000400000026 R_PPC64_ADDR64         0000000000000000 __gmon_start__ + 0
0000000010011040  0000000100000026 R_PPC64_ADDR64         0000000000000000 stderr + 0

Relocation section '.rela.plt' at offset 0x3a8 contains 1 entries:
    Offset             Info             Type               Symbol's Value  Symbol's Name + Addend
0000000010011058  0000000200000015 R_PPC64_JMP_SLOT       0000000000000000 __libc_start_main + 0

The decoding of unwind sections for machine type PowerPC64 is not
currently supported.

Symbol table '.dynsym' contains 5 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND stderr@GLIBC_2.17 (2)
     2: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __libc_start_main@GLIBC_2.17 (2)
     3: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND stdout@GLIBC_2.17 (2)
     4: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__

Symbol table '.symtab' contains 68 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 0000000010000200     0 SECTION LOCAL  DEFAULT    1
     2: 0000000010000214     0 SECTION LOCAL  DEFAULT    2
     3: 0000000010000234     0 SECTION LOCAL  DEFAULT    3
     4: 0000000010000258     0 SECTION LOCAL  DEFAULT    4
     5: 0000000010000278     0 SECTION LOCAL  DEFAULT    5
     6: 00000000100002f0     0 SECTION LOCAL  DEFAULT    6
     7: 0000000010000336     0 SECTION LOCAL  DEFAULT    7
     8: 0000000010000340     0 SECTION LOCAL  DEFAULT    8
     9: 0000000010000360     0 SECTION LOCAL  DEFAULT    9
    10: 00000000100003a8     0 SECTION LOCAL  DEFAULT   10
    11: 00000000100003c0     0 SECTION LOCAL  DEFAULT   11
    12: 0000000010000400     0 SECTION LOCAL  DEFAULT   12
    13: 0000000010000784     0 SECTION LOCAL  DEFAULT   13
    14: 00000000100007a8     0 SECTION LOCAL  DEFAULT   14
    15: 00000000100007cc     0 SECTION LOCAL  DEFAULT   15
    16: 0000000010010df0     0 SECTION LOCAL  DEFAULT   16
    17: 0000000010010df8     0 SECTION LOCAL  DEFAULT   17
    18: 0000000010010e00     0 SECTION LOCAL  DEFAULT   18
    19: 0000000010010e08     0 SECTION LOCAL  DEFAULT   19
    20: 0000000010010e10     0 SECTION LOCAL  DEFAULT   20
    21: 0000000010011000     0 SECTION LOCAL  DEFAULT   21
    22: 0000000010011010     0 SECTION LOCAL  DEFAULT   22
    23: 0000000010011048     0 SECTION LOCAL  DEFAULT   23
    24: 0000000010011060     0 SECTION LOCAL  DEFAULT   24
    25: 0000000000000000     0 SECTION LOCAL  DEFAULT   25
    26: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS crtstuff.c
    27: 0000000010010e00     0 OBJECT  LOCAL  DEFAULT   18 __JCR_LIST__
    28: 0000000010000460     0 FUNC    LOCAL  DEFAULT [<localentry>: 8]    12 deregister_tm_clones
    29: 00000000100004d0     0 FUNC    LOCAL  DEFAULT [<localentry>: 8]    12 register_tm_clones
    30: 0000000010000540     0 FUNC    LOCAL  DEFAULT [<localentry>: 8]    12 __do_global_dtors_aux
    31: 0000000010011060     1 OBJECT  LOCAL  DEFAULT   24 completed.8817
    32: 0000000010010df8     0 OBJECT  LOCAL  DEFAULT   17 __do_global_dtors_aux_fini_array_entry
    33: 0000000010000590     0 FUNC    LOCAL  DEFAULT [<localentry>: 8]    12 frame_dummy
    34: 0000000010010df0     0 OBJECT  LOCAL  DEFAULT   16 __frame_dummy_init_array_entry
    35: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS relro.c
    36: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS crtstuff.c
    37: 0000000010000814     0 OBJECT  LOCAL  DEFAULT   15 __FRAME_END__
    38: 0000000010010e00     0 OBJECT  LOCAL  DEFAULT   18 __JCR_END__
    39: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS
    40: 0000000010000748     0 NOTYPE  LOCAL  DEFAULT   12 __glink_PLTresolve
    41: 0000000010010df8     0 NOTYPE  LOCAL  DEFAULT   16 __init_array_end
    42: 0000000010000400     0 NOTYPE  LOCAL  DEFAULT   12 00000017.plt_call.__libc_start_main@@GLIBC_2.17
    43: 0000000010010e10     0 OBJECT  LOCAL  DEFAULT   20 _DYNAMIC
    44: 0000000010010df0     0 NOTYPE  LOCAL  DEFAULT   16 __init_array_start
    45: 0000000010019010     0 OBJECT  LOCAL  DEFAULT   22 .TOC.
    46: 0000000010000730    16 FUNC    GLOBAL DEFAULT   12 __libc_csu_fini
    47: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterTMCloneTable
    48: 0000000010011000     0 NOTYPE  WEAK   DEFAULT   21 data_start
    49: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND stderr@@GLIBC_2.17
    50: 0000000010011048     0 NOTYPE  GLOBAL DEFAULT   22 _edata
    51: 0000000010000784     0 FUNC    GLOBAL DEFAULT [<localentry>: 8]    13 _fini
    52: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND __libc_start_main@@GLIBC_2.17
    53: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND stdout@@GLIBC_2.17
    54: 0000000010011000     0 NOTYPE  GLOBAL DEFAULT   21 __data_start
    55: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
    56: 0000000010011008     0 OBJECT  GLOBAL HIDDEN    21 __dso_handle
    57: 00000000100007c8     4 OBJECT  GLOBAL DEFAULT   14 _IO_stdin_used
    58: 0000000010000650   212 FUNC    GLOBAL DEFAULT [<localentry>: 8]    12 __libc_csu_init
    59: 0000000010010e08     8 OBJECT  GLOBAL DEFAULT   19 foo
    60: 0000000010011068     0 NOTYPE  GLOBAL DEFAULT   24 _end
    61: 0000000010000410    68 FUNC    GLOBAL DEFAULT [<localentry>: 8]    12 _start
    62: 0000000010011048     0 NOTYPE  GLOBAL DEFAULT   23 __bss_start
    63: 0000000010000600    72 FUNC    GLOBAL DEFAULT [<localentry>: 8]    12 main
    64: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _Jv_RegisterClasses
    65: 0000000010011010     0 OBJECT  GLOBAL HIDDEN    22 __TMC_END__
    66: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_registerTMCloneTable
    67: 00000000100003c0     0 FUNC    GLOBAL DEFAULT [<localentry>: 8]    11 _init

Version symbols section '.gnu.version' contains 5 entries:
 Addr: 0000000010000336  Offset: 0x000336  Link: 5 (.dynsym)
  000:   0 (*local*)       2 (GLIBC_2.17)    2 (GLIBC_2.17)    2 (GLIBC_2.17)
  004:   0 (*local*)

Version needs section '.gnu.version_r' contains 1 entries:
 Addr: 0x0000000010000340  Offset: 0x000340  Link: 6 (.dynstr)
  000000: Version: 1  File: libc.so.6  Cnt: 1
  0x0010:   Name: GLIBC_2.17  Flags: none  Version: 2

Displaying notes found at file offset 0x00000214 with length 0x00000020:
  Owner                 Data size       Description
  GNU                  0x00000010       NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 2.6.32

Displaying notes found at file offset 0x00000234 with length 0x00000024:
  Owner                 Data size       Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: 073bde628552e31631eb5430466cfc541a5bf52c

== Comment: #4 - PAVAMAN SUBRAMANIYAM <pavsubra@xxxxxxxxxx> - 2015-01-05 01:42:05 ==
The problem is, if linker does not set the alignment correctly, 'start' and 'end' will be equal and thus not protected. And this is happening on Ubuntu 14.04 due the fact its uses default binutils elf{32,64}-ppc.c ELF_COMMONPAGESIZE to align it to 4k instead of 64k.

There is a recent patch on binutils-dev maillist [1] to change the
default for 64k and Fedora rawride (along with RHEL) already sets it [2]
in its binutils.spec spec:

# On ppc64 and aarch64, we might use 64KiB pages
sed -i -e '/#define.*ELF_COMMONPAGESIZE/s/0x1000$/0x10000/' bfd/elf*ppc.c
sed -i -e '/#define.*ELF_COMMONPAGESIZE/s/0x1000$/0x10000/' bfd/elf*aarch64.c

Ubuntu for powerpc64le should do the same.

[1] https://sourceware.org/ml/binutils/2014-12/msg00165.html

** Affects: binutils (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: architecture-ppc64le bot-comment bugnameltc-119945 severity-critical targetmilestone-inin1504
-- 
RELRO is not read-only on PowerLE (binutils)
https://bugs.launchpad.net/bugs/1407622
You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu.