Re: ASLR still problematic with -lpthread

To: current-users%netbsd.org@localhost
Subject: Re: ASLR still problematic with -lpthread
From: christos%astron.com@localhost (Christos Zoulas)
Date: Tue, 7 Sep 2010 23:00:54 +0000 (UTC)

In article <20100831124707.GD6889%czapla.supermedia.pl@localhost>,
Piotr Meyer  <aniou%smutek.pl@localhost> wrote:
>My -current (with fixes mentioned in [1]) still has problems
>when ASLR is enable and app is linked with -lpthread, example:
>
>$ uname -a
>NetBSD lelek.smutek.pl 5.99.39 NetBSD 5.99.39 (GENERIC) #0: Tue Aug 31
>13:12:42 CEST 2010 
>root%lelek.smutek.pl@localhost:/usr/obj/sys/arch/i386/compile/GENERIC i386
>
>$ cat aslr.c
>#include <stdio.h>
>
>int
>main(int argc, char *argv[])
>{
>        printf("Stack %p\n", &argc);
>        return 0;
>}
>
>$ gcc aslr.c -o a; paxctl +A a
>$ in $(seq 1 1000); do ./a; done 
>Stack 0xbf350640
>Stack 0xbfb8b6e8
>Stack 0xbfabdb3c
>Stack 0xbf7101e8
>Stack 0xbf8bb8ac
>Stack 0xbf5cd750
>[...]
>
> - all ok, even 10k runs without single dump.
>
>
>$ gcc aslr.c -lpthread -o a; paxctl +A a
>$ in $(seq 1 1000); do ./a; done 
>Stack 0xbfaa6d3c
>Stack 0xbf501110
>Stack 0xbf14c504
>Stack 0xbfa8c42c
>Stack 0xbf36ec7c
>Memory fault (core dumped) 
>
>Few backtraces:
>
>Core was generated by `a'.
>Program terminated with signal 11, Segmentation fault.
>#0  0xb137dc85 in pthread_suspend_np () from /usr/lib/libpthread.so.1
>(gdb) bt
>#0  0xb137dc85 in pthread_suspend_np () from /usr/lib/libpthread.so.1
>#1  0xb137e4e5 in pthread__init () from /usr/lib/libpthread.so.1
>#2  0xb132dca1 in __libc_init () from /usr/lib/libc.so.12
>#3  0xb1290538 in ?? () from /usr/lib/libc.so.12
>#4  0x00000000 in ?? ()
>
>
>Core was generated by `a'.
>Program terminated with signal 11, Segmentation fault.
>#0  0xb2898053 in free () from /usr/lib/libc.so.12
>(gdb) bt
>#0  0xb2898053 in free () from /usr/lib/libc.so.12
>#1  0xb2899859 in malloc () from /usr/lib/libc.so.12
>#2  0xb28ede24 in __smakebuf () from /usr/lib/libc.so.12
>#3  0xb28edc97 in __swsetup () from /usr/lib/libc.so.12
>#4  0xb28ccaa7 in __vfprintf_unlocked () from /usr/lib/libc.so.12
>#5  0xb28cf944 in vfprintf () from /usr/lib/libc.so.12
>#6  0xb28ca8f4 in printf () from /usr/lib/libc.so.12
>#7  0x080486b7 in main (argc=858980355, argv=0x0) at aslr.c:6
>
>
>Core was generated by `a'.
>Program terminated with signal 11, Segmentation fault.
>#0  0x00000000 in ?? ()
>(gdb) bt
>#0  0x00000000 in ?? ()
>#1  0x00000000 in ?? ()
>
>
>1. http://releng.netbsd.org/cgi-bin/req-5.cgi?show=1444

The problem is not with ASLR, but with the stupid way that our pthread
library deals with the stack. With ASLR you get a lot of random stack
values, this is why the code is exercised. The issue is that if your
stack base happens to be 0x???02000 for example and your mask is
stackmask is 0xffe00000, your base pointer calculation ends up below
the base of the stack (oops)... You can work around the problem 
unlimiting stacksize, but this stupidity with the stack needs to go,
and it will.

christos

Follow-Ups:
- Re: ASLR still problematic with -lpthread
  - From: Christos Zoulas

References:
- ASLR still problematic with -lpthread
  - From: Piotr Meyer

Prev by Date: Re: [PAE] Initial patches for kvm(3) support
Next by Date: daily CVS update output
Previous by Thread: ASLR still problematic with -lpthread
Next by Thread: Re: ASLR still problematic with -lpthread
Indexes:

Home | Main Index | Thread Index | Old Index