|
From: Dirk M. <dm...@gm...> - 2005-11-08 14:43:49
|
On Tuesday 08 November 2005 10:41, Tom Hughes wrote:
> The critical files to understand all this are mm/mprotect.c in the
> kernel and sysdeps/unix/sysv/linux/dl-execstack.c in glibc.
I'm looking at both for a while already :)
> If that mprotect fails with EINVAL then glibc falls back to doing a
> binary search
Thats what the Redhat glibc might do, yes. The plan FSF glibc 2.3.6 doesn't do
that:
/* Newer Linux kernels support a flag to make our job easy. */
#if defined PROT_GROWSDOWN || defined PROT_GROWSUP
# if __ASSUME_PROT_GROWSUPDOWN == 0
static bool no_growsupdown;
if (! no_growsupdown)
# endif
{
if (__builtin_expect (__mprotect ((void *) page, GLRO(dl_pagesize),
__stack_prot) == 0, 1))
goto return_success;
# if __ASSUME_PROT_GROWSUPDOWN == 0
if (errno == EINVAL)
no_growsupdown = true;
else
# endif
{
result = errno;
goto out;
}
}
#endif
where __ASSUME_PROT_GROWSUPDOWN is defined to 1 by default:
* The PROT_GROWSDOWN/PROT_GROWSUP flags were introduced in the 2.6.0-test
series. */
#if __LINUX_KERNEL_VERSION >= 132609
# define __ASSUME_PROT_GROWSUPDOWN 1
#endif
This means that by default an unpatched glibc doesn't do the binary search you
described.
> reason - I have glibc 2.3.5 if that helps.
using glibc 2.3.6 here.
> The attached patch seems to work for me - if it works for you as
> well then I guess we can go with it.
it crashes:
./test: error while loading shared libraries: libtest.so: cannot enable
executable stack as shared object requires: Invalid argument
==27757== Jump to the invalid address stated on the next line
==27757== at 0x46E: ???
==27757== by 0x400AD47: _dl_signal_error (in /lib/ld-2.3.5.so)
==27757== by 0x400A4AC: _dl_map_object_deps (in /lib/ld-2.3.5.so)
==27757== by 0x4001FAD: dl_main (in /lib/ld-2.3.5.so)
==27757== by 0x400E40E: _dl_sysdep_start (in /lib/ld-2.3.5.so)
==27757== by 0x4003731: _dl_start (in /lib/ld-2.3.5.so)
==27757== by 0x40007B6: (within /lib/ld-2.3.5.so)
==27757== Address 0x46E is not stack'd, malloc'd or (recently) free'd
==27757==
==27757== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==27757== Bad permissions for mapped region at address 0x46E
==27757== at 0x46E: ???
I'll try finding out what goes wrong.
Dirk
|