From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26265 invoked by alias); 8 Jun 2008 09:43:11 -0000 Received: (qmail 26256 invoked by uid 22791); 8 Jun 2008 09:43:09 -0000 X-Spam-Check-By: sourceware.org Received: from host0.dyn.jankratochvil.net (HELO host0.dyn.jankratochvil.net) (89.250.240.59) by sourceware.org (qpsmtpd/0.31) with ESMTP; Sun, 08 Jun 2008 09:42:34 +0000 Received: from host0.dyn.jankratochvil.net (localhost [127.0.0.1]) by host0.dyn.jankratochvil.net (8.14.2/8.14.2) with ESMTP id m589gEgp011171; Sun, 8 Jun 2008 11:42:14 +0200 Received: (from jkratoch@localhost) by host0.dyn.jankratochvil.net (8.14.2/8.14.2/Submit) id m589gDtC011170; Sun, 8 Jun 2008 11:42:13 +0200 Date: Sun, 08 Jun 2008 09:43:00 -0000 From: Jan Kratochvil To: Eli Zaretskii Cc: gdb-patches@sourceware.org, Andreas Schwab Subject: Re: [patch] Disable child VMA randomizations Message-ID: <20080608094213.GA14515@host0.dyn.jankratochvil.net> References: <20080607195343.GA10039@host0.dyn.jankratochvil.net> <20080607195343.GA10039@host0.dyn.jankratochvil.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="NDin8bjvE/0mNLFQ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2008-06/txt/msg00132.txt.bz2 --NDin8bjvE/0mNLFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-length: 4794 On Sat, 07 Jun 2008 22:41:09 +0200, Andreas Schwab wrote: ... > This is underquoted. All arguments containing nested macro invocations > should be quoted. Fixed, thanks. On Sat, 07 Jun 2008 22:42:42 +0200, Eli Zaretskii wrote: ... > That longish sentence could be made both shorter and more clear. How > about this one: > > "Disabling randomization of debuggee's virtual address space is %s." Used your wording. > "breakpoints"? Copy/paste error, right? Fixed. +Set disabling of debuggee's virtual address space randomization."), _("\ +Show disabling of debuggee's virtual address space randomization."), _("\ > > +When this mode is on (which is the default), the randomization of\n\ > > +the virtual address space is disabled (turns on ADDR_NO_RANDOMIZE).\n\ > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > What is this supposed to tell Joe Random Hacker who uses GDB to debug > his/her program? What is ADDR_NO_RANDOMIZE? ctags will find him /usr/include/linux/personality.h: ADDR_NO_RANDOMIZE = 0x0040000, /* disable randomization of VA space */ Removed my whole text in brackets. > > +Standalone programs run with the randomization enabled by default."), > > On some platforms, right? Fixed. Standalone programs run with the\n\ +randomization enabled by default on the GNU/Linux platform."), > > +get assigned differently on each run some subtle bugs may be reproducible only > > +with specially assigned addresses possibly not reachable with the default > > +setting of @kbd{set disable-randomization on}. > > Can you explain this sentence? I'd like to suggest a better wording, > but I can't do that unless I understand what is it that you are trying > to say here. New text: As some debuggee's +bugs may depend on the assigned addresses the default @value{GDBN} behavior of +disabling the randomization may make some debuggee's bugs unreproducible. You +may want to run the debuggee many times with the randomization enabled (and +thus this option disabled) to catch such kind of bugs. Correctly written +programs must run the same way notwithstanding this configuration option. I do not know about such a bug example off hand but sure there can be such one created (such as not expecting \x00 in an adress which would never coincidentally happen when the randomization is disabled - although 0x00 is more expected with the randomization disabled as the addresses are then lower). > > +PIE executables (type @code{ET_DYN}, compiled by @code{gcc -fPIE -pie}) have > > +randomized everything - the executable base address, shared libraries base > > +address (their prelinking is ignored), mmap areas, stack and heap. Regular > > +executables (type @code{ET_EXEC}) do not have randomized their base address, > > +shared libraries base address is ranomized only for non-prelinked libraries, > > +mmap, stack and heap are still randomized. > > There's too much unexplained technical details here, so much so that > this paragraph sounds like it was meant only for the initiated. It is mostly explained at: http://lwn.net/Articles/190139/ I expected the full explanation is inappropriate for the GDB manual but I tried to include it in this patch: +The virtual address space randomization is implemented only on @sc{gnu}/Linux. +It protects the programs against some kinds of security attacks. In these +cases the attacker needs to know the exact location of a concrete executable +code. Randomizing its location makes it impossible to inject jumps misusing +a code at its expected addresses. + +Prelinking shared libraries provides a startup performance advantage but it +makes addresses in these libraries predictable for privileged processes by +having just unprivileged access at the target system. Reading the shared +library binary gives enough information for assembling the malicious code +misusing it. Still even a prelinked shared library can get loaded a a new +random address just requiring the regular relocation process during the +startup. Shared libraries not already prelinked are always loaded at +a randomly chosen address. + +Position independent executables (PIE) contain position independent code +similar to the shared libraries and therefore such executables get loaded at +a randomly chosen address upon startup. PIE executables always load even +already prelinked shared libraries at a random address. You can build such +executable using @command{gcc -fPIE -pie}. + +Heap (malloc storage), stack and custom mmap areas are always placed randomly +(as long as the randomization is enabled). > and "ranomized" is a typo. Fixed, spell-checked this time. Thanks for the doc review. (Patch now additionally prefers the system definition of ADDR_NO_RANDOMIZE.) Regards, Jan --NDin8bjvE/0mNLFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="gdb-derandomize2.patch" Content-length: 16789 2008-06-08 Jan Kratochvil * configure.ac: Add check for HAVE_PERSONALITY and HAVE_DECL_ADDR_NO_RANDOMIZE. * configure, config.in: Regenerate. * fork-child.c: New include . [HAVE_PERSONALITY]: New include . [HAVE_PERSONALITY] (set_disable_randomization): New function. (disable_randomization, show_disable_randomization): New. (fork_inferior) [HAVE_PERSONALITY] [!HAVE_DECL_ADDR_NO_RANDOMIZE]: Set ADDR_NO_RANDOMIZE. (fork_inferior) [HAVE_PERSONALITY]: Disable randomization upon the variable DISABLE_RANDOMIZATION. (_initialize_fork_child): Call ADD_SETSHOW_BOOLEAN_CMD for the variable DISABLE_RANDOMIZATION. 2008-06-08 Jan Kratochvil * gdb.texinfo (Starting): Document "set disable-randomization". 2008-06-08 Jan Kratochvil * gdb.base/randomize.exp, gdb.base/randomize.c: New files. --- gdb/config.in 5 Jun 2008 22:36:56 -0000 1.100 +++ gdb/config.in 8 Jun 2008 09:11:44 -0000 @@ -82,6 +82,10 @@ /* Define to 1 if you have the header file. */ #undef HAVE_CURSES_H +/* Define to 1 if you have the declaration of `ADDR_NO_RANDOMIZE', and to 0 if + you don't. */ +#undef HAVE_DECL_ADDR_NO_RANDOMIZE + /* Define to 1 if you have the declaration of `free', and to 0 if you don't. */ #undef HAVE_DECL_FREE @@ -237,6 +241,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_NLIST_H +/* Define if you support the personality syscall. */ +#undef HAVE_PERSONALITY + /* Define to 1 if you have the `poll' function. */ #undef HAVE_POLL --- gdb/configure 5 Jun 2008 22:36:56 -0000 1.249 +++ gdb/configure 8 Jun 2008 09:11:56 -0000 @@ -26701,6 +26701,188 @@ _ACEOF fi +echo "$as_me:$LINENO: checking whether ADDR_NO_RANDOMIZE is declared" >&5 +echo $ECHO_N "checking whether ADDR_NO_RANDOMIZE is declared... $ECHO_C" >&6 +if test "${ac_cv_have_decl_ADDR_NO_RANDOMIZE+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +#ifndef ADDR_NO_RANDOMIZE + char *p = (char *) ADDR_NO_RANDOMIZE; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_have_decl_ADDR_NO_RANDOMIZE=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_have_decl_ADDR_NO_RANDOMIZE=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_have_decl_ADDR_NO_RANDOMIZE" >&5 +echo "${ECHO_T}$ac_cv_have_decl_ADDR_NO_RANDOMIZE" >&6 +if test $ac_cv_have_decl_ADDR_NO_RANDOMIZE = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_ADDR_NO_RANDOMIZE 1 +_ACEOF + + +else + cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_ADDR_NO_RANDOMIZE 0 +_ACEOF + + +fi + + + +if test "$cross_compiling" = yes; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ + +# if !HAVE_DECL_ADDR_NO_RANDOMIZE +# define ADDR_NO_RANDOMIZE 0x0040000 +# endif + /* Test the flag could be set and stays set. */ + personality (personality (0xffffffff) | ADDR_NO_RANDOMIZE); + if (!(personality (personality (0xffffffff)) & ADDR_NO_RANDOMIZE)) + return 1 + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + have_personality=true +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +have_personality=false +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +int +main () +{ + +# if !HAVE_DECL_ADDR_NO_RANDOMIZE +# define ADDR_NO_RANDOMIZE 0x0040000 +# endif + /* Test the flag could be set and stays set. */ + personality (personality (0xffffffff) | ADDR_NO_RANDOMIZE); + if (!(personality (personality (0xffffffff)) & ADDR_NO_RANDOMIZE)) + return 1 + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + have_personality=true +else + echo "$as_me: program exited with status $ac_status" >&5 +echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +have_personality=false +fi +rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +if $have_personality +then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_PERSONALITY 1 +_ACEOF + +fi + # Check whether --with-sysroot or --without-sysroot was given. --- gdb/configure.ac 5 Jun 2008 22:36:56 -0000 1.69 +++ gdb/configure.ac 8 Jun 2008 09:11:57 -0000 @@ -1266,6 +1266,29 @@ if test "x$gdb_cv_sys_syscall_h_has_tkil AC_DEFINE(HAVE_TKILL_SYSCALL, 1, [Define if you support the tkill syscall.]) fi +dnl Check if we can disable the virtual address space randomization. +dnl The functionality of setarch -R. +AC_CHECK_DECLS([ADDR_NO_RANDOMIZE],,, [#include ]) +define([PERSONALITY_TEST], [AC_LANG_PROGRAM([#include ], [ +# if !HAVE_DECL_ADDR_NO_RANDOMIZE +# define ADDR_NO_RANDOMIZE 0x0040000 +# endif + /* Test the flag could be set and stays set. */ + personality (personality (0xffffffff) | ADDR_NO_RANDOMIZE); + if (!(personality (personality (0xffffffff)) & ADDR_NO_RANDOMIZE)) + return 1])]) +AC_RUN_IFELSE([PERSONALITY_TEST], + [have_personality=true], + [have_personality=false], + [AC_LINK_IFELSE([PERSONALITY_TEST], + [have_personality=true], + [have_personality=false])]) +if $have_personality +then + AC_DEFINE([HAVE_PERSONALITY], 1, + [Define if you support the personality syscall.]) +fi + dnl Handle optional features that can be enabled. AC_ARG_WITH(sysroot, --- gdb/fork-child.c 15 Mar 2008 14:55:21 -0000 1.41 +++ gdb/fork-child.c 8 Jun 2008 09:12:05 -0000 @@ -35,6 +35,10 @@ #include "solib.h" #include +#include +#ifdef HAVE_PERSONALITY +# include +#endif /* This just gets used as a default if we can't find SHELL. */ #define SHELL_FILE "/bin/sh" @@ -42,6 +46,33 @@ extern char **environ; static char *exec_wrapper; +static int disable_randomization = +#ifdef HAVE_PERSONALITY + 1; +#else + 0; +#endif + +#ifndef HAVE_PERSONALITY +static void +set_disable_randomization (char *args, int from_tty, struct cmd_list_element *c) +{ + if (disable_randomization) + { + disable_randomization = 0; + error (_("Unsupported on this platform.")); + } +} +#endif + +static void +show_disable_randomization (struct ui_file *file, int from_tty, + struct cmd_list_element *c, const char *value) +{ + fprintf_filtered (file, _("\ +Disabling randomization of debuggee's virtual address space is %s.\n"), + value); +} /* Break up SCRATCH into an argument vector suitable for passing to execvp and store it in ARGV. E.g., on "run a b c d" this routine @@ -303,6 +334,24 @@ fork_inferior (char *exec_file_arg, char if (debug_fork) sleep (debug_fork); +#ifdef HAVE_PERSONALITY +# if !HAVE_DECL_ADDR_NO_RANDOMIZE +# define ADDR_NO_RANDOMIZE 0x0040000 +# endif + if (disable_randomization) + { + int val; + + errno = 0; + val = personality (0xffffffff); + if (errno == 0) + personality (val | ADDR_NO_RANDOMIZE); + if (errno != 0 || !(personality (0xffffffff) & ADDR_NO_RANDOMIZE)) + warning (_("Currently enabled disable-randomization is unsupported " + "on this platform.")); + } +#endif /* HAVE_PERSONALITY */ + /* Create a new session for the inferior process, if necessary. It will also place the inferior in a separate process group. */ if (create_tty_session () <= 0) @@ -490,4 +539,19 @@ Show the wrapper for running programs.") add_cmd ("exec-wrapper", class_run, unset_exec_wrapper_command, _("Disable use of an execution wrapper."), &unsetlist); + + add_setshow_boolean_cmd ("disable-randomization", class_support, + &disable_randomization, _("\ +Set disabling of debuggee's virtual address space randomization."), _("\ +Show disabling of debuggee's virtual address space randomization."), _("\ +When this mode is on (which is the default), the randomization of\n\ +the virtual address space is disabled. Standalone programs run with the\n\ +randomization enabled by default on the GNU/Linux platform."), +#ifdef HAVE_PERSONALITY + NULL, +#else + &set_disable_randomization, +#endif + &show_disable_randomization, + &setlist, &showlist); } --- gdb/doc/gdb.texinfo 6 Jun 2008 20:58:08 -0000 1.503 +++ gdb/doc/gdb.texinfo 8 Jun 2008 09:12:34 -0000 @@ -1999,6 +1999,57 @@ environment: This command is available when debugging locally on most targets, excluding @sc{djgpp}, Cygwin, MS Windows, and QNX Neutrino. +@kindex set disable-randomization +@item set disable-randomization +@itemx set disable-randomization on +This option (enabled by default in @value{GDBN}) will turn off the native +randomization of the virtual address space of the started program. This option +is useful for multiple debugging sessions to make the execution better +reproducible and memory addresses reusable across debugging sessions. + +This feature is implemented only on @sc{gnu}/Linux. You can get the same +behavior using + +@smallexample +(@value{GDBP}) set exec-wrapper setarch `uname -m` -R +@end smallexample + +@item set disable-randomization off +Leave the behavior of the started executable unchanged. As some debuggee's +bugs may depend on the assigned addresses the default @value{GDBN} behavior of +disabling the randomization may make some debuggee's bugs unreproducible. You +may want to run the debuggee many times with the randomization enabled (and +thus this option disabled) to catch such kind of bugs. Correctly written +programs must run the same way notwithstanding this configuration option. + +The virtual address space randomization is implemented only on @sc{gnu}/Linux. +It protects the programs against some kinds of security attacks. In these +cases the attacker needs to know the exact location of a concrete executable +code. Randomizing its location makes it impossible to inject jumps misusing +a code at its expected addresses. + +Prelinking shared libraries provides a startup performance advantage but it +makes addresses in these libraries predictable for privileged processes by +having just unprivileged access at the target system. Reading the shared +library binary gives enough information for assembling the malicious code +misusing it. Still even a prelinked shared library can get loaded a a new +random address just requiring the regular relocation process during the +startup. Shared libraries not already prelinked are always loaded at +a randomly chosen address. + +Position independent executables (PIE) contain position independent code +similar to the shared libraries and therefore such executables get loaded at +a randomly chosen address upon startup. PIE executables always load even +already prelinked shared libraries at a random address. You can build such +executable using @command{gcc -fPIE -pie}. + +Heap (malloc storage), stack and custom mmap areas are always placed randomly +(as long as the randomization is enabled). + +@item show disable-randomization +Show the current setting of the explicit disable of the native randomization of +the virtual address space of the started program. + @end table @node Arguments --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ gdb/testsuite/gdb.base/randomize.c 8 Jun 2008 09:12:35 -0000 @@ -0,0 +1,32 @@ +/* This testcase is part of GDB, the GNU debugger. + + Copyright 2008 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Please email any bugs, comments, and/or additions to this file to: + bug-gdb@prep.ai.mit.edu */ + +#include +#include + +int main() +{ + void *p; + + p = malloc (1); + printf ("address = %p\n", p); + + return 0; +} --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ gdb/testsuite/gdb.base/randomize.exp 8 Jun 2008 09:12:35 -0000 @@ -0,0 +1,63 @@ +# Copyright 2008 Free Software Foundation, Inc. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set testfile randomize +set srcfile ${testfile}.c +set binfile ${objdir}/${subdir}/${testfile} +if { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {debug}] != "" } { + untested "Couldn't compile test program" + return -1 +} + +# Get things started. + +gdb_exit +gdb_start +gdb_reinitialize_dir $srcdir/$subdir +gdb_load ${binfile} + +proc address_get { testname } { + global gdb_prompt + + if {![runto_main]} { + return -1 + } + gdb_test_multiple "continue" $testname { + -re "address = (0x\[0-9a-f\]*).*Program exited normally..*$gdb_prompt $" { + pass $testname + return $expect_out(1,string) + } + } +} + +gdb_test "set disable-randomization off" +set addr1 [address_get "randomized first address"] +set addr2 [address_get "randomized second address"] +set test "randomized addresses should not match" +if {$addr1 eq $addr2} { + fail $test +} else { + pass $test +} + +gdb_test "set disable-randomization on" +set addr1 [address_get "fixed first address"] +set addr2 [address_get "fixed second address"] +set test "fixed addresses should match" +if {$addr1 eq $addr2} { + pass $test +} else { + fail $test +} --NDin8bjvE/0mNLFQ--