1321017 – glibc is not using ASLR

Bug 1321017 - glibc is not using ASLR

Summary: glibc is not using ASLR

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Carlos O'Donell
QA Contact:	qe-baseos-tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-24 13:51 UTC by Chunyu Hu
Modified:	2016-03-24 14:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-24 14:06:43 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	93743	0	None	None	None	2016-03-24 13:56:47 UTC

Description Chunyu Hu 2016-03-24 13:51:01 UTC

Description of problem:

stack and vdso is implementing the ASLR.But on RHEL-6.8-20160315.0, the ASLR is not working for the load address of libc. After compared with the output with RHEL7.2, find that when loading libc r-xp segment, a fixed addr is given to sys_mmap.

So this looks like an issue. Here file a bz to track this issue, even if I'm wrong, we can close it. And I hope I am right to file the bz to glibc.

Version-Release number of selected component (if applicable):


How reproducible:

%100

Steps to Reproduce: On an Intel cpu box:

[root@ibm-x3650m4-06 ~]# hostname 
ibm-x3650m4-06.rhts.eng.pek2.redhat.com

[root@ibm-x3650m4-06 ~]# for i in $(seq 1 10);do cat /proc/self/maps  | grep "r-xp.*libc" 2>&1| awk  -F " " '{print $1}';done
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000
3a57c00000-3a57d8a000

----------------------------------
Amd family21:

[root@amd-dinar-01 ~]# hostname 
amd-dinar-01.lab.bos.redhat.com

[root@amd-dinar-01 ~]# for i in $(seq 1 10);do cat /proc/self/maps  | grep "r-xp.*libc" 2>&1| awk  -F " " '{print $1}';done
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000
333e000000-333e18a000

[root@ibm-x3650m4-06 ~]# uname -r
2.6.32-627.el6.x86_64

[root@ibm-x3650m4-06 ~]# rpm -q glibc
glibc-2.12-1.192.el6.x86_64



Actual results:

glibc address is not randomized but fixed.

Expected results:

it should be randomized.

Additional info: Bug1240883

Executed the stap below on the amd box above: 
can find that the 220083519488 is always delivered to sys_mmap. and its hex value is 333e000000.

[root@amd-dinar-01 ~]# stap -e 'probe kernel.function("sys_mmap") { println($$vars$$)}' -c 'cat /proc/self/maps '  | grep ^addr
addr=0 len=4096 prot=3 flags=34 fd=4294967295 off=0 error=?
addr=0 len=46887 prot=1 flags=2 fd=3 off=0 error=?
addr=220083519488 len=3750184 prot=5 flags=2050 fd=3 off=0 error=?
addr=220087230464 len=24576 prot=3 flags=2066 fd=3 off=1613824 error=?
addr=220087255040 len=14632 prot=3 flags=50 fd=4294967295 off=0 error=?
addr=0 len=4096 prot=3 flags=34 fd=4294967295 off=0 error=?
addr=0 len=4096 prot=3 flags=34 fd=4294967295 off=0 error=?
addr=0 len=4096 prot=3 flags=34 fd=4294967295 off=0 error=?
addr=0 len=99164480 prot=1 flags=2 fd=3 off=0 error=?

Comment 1 Florian Weimer 2016-03-24 13:54:12 UTC

The addresses look like prelink is enabled during your test.  Please disable it try again.

prelink defaults changed between Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Comment 2 Chunyu Hu 2016-03-24 13:55:40 UTC

(In reply to Florian Weimer from comment #1)
> The addresses look like prelink is enabled during your test.  Please disable
> it try again.
> 
> prelink defaults changed between Red Hat Enterprise Linux 6 and Red Hat
> Enterprise Linux 7.

How should I disable prelink? can you provide a simple step? Thanks.

Comment 3 Florian Weimer 2016-03-24 13:56:47 UTC

Please see this solution: https://access.redhat.com/solutions/93743

Comment 5 Chunyu Hu 2016-03-24 14:05:12 UTC

(In reply to Florian Weimer from comment #3)
> Please see this solution: https://access.redhat.com/solutions/93743

Thanks for the info although i can't open it. After disabling the prelink. then, the address is randomized. So this is just a configure issue, which costing we two guy much time to reproduce / debug this. How funny it is. Thank so much. Is there any more can we do for this? if not, please feel free to close this. 


[root@amd-dinar-01 ~]# for i in $(seq 1 10);do cat /proc/self/maps  | grep "r-xp.*libc" 2>&1| awk  -F " " '{print $1}';done
7f6e2dc92000-7f6e2de1c000
7f93198fd000-7f9319a87000
7f5c7d952000-7f5c7dadc000
7f9ea8f9d000-7f9ea9127000
7f780da10000-7f780db9a000
7f302015b000-7f30202e5000
7fcc26204000-7fcc2638e000
7ffbd801b000-7ffbd81a5000
7f2b11e0a000-7f2b11f94000
7ff80b7e7000-7ff80b971000

Comment 6 Florian Weimer 2016-03-24 14:06:43 UTC

(In reply to Chunyu Hu from comment #5)
> (In reply to Florian Weimer from comment #3)
> > Please see this solution: https://access.redhat.com/solutions/93743
> 
> Thanks for the info although i can't open it. After disabling the prelink.
> then, the address is randomized. So this is just a configure issue, which
> costing we two guy much time to reproduce / debug this. How funny it is.
> Thank so much. Is there any more can we do for this? if not, please feel
> free to close this. 

Thanks for confirming it's prelink.  This is expected for Red Hat Enterprise Linux 6, so I'm closing this bug.

Note You need to log in before you can comment on or make changes to this bug.