From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id KD6NB7XLxGW6lwAAe85BDQ:P1 (envelope-from ) for ; Thu, 08 Feb 2024 13:40:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id KD6NB7XLxGW6lwAAe85BDQ (envelope-from ) for ; Thu, 08 Feb 2024 13:40:21 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=cCtVG11Y; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=student.tugraz.at (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1707396021; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=EWlwY4HVkQzbavc5LNPKBIG2OEKYjlJ0HC9VmDE0FgA=; b=XdtpQ17Fo0rsCPUoVKhZDdBTKUvgDr4w4NJimVNz0PHqCKd/55Nf5FsOJ3i+m8Mbn45cYV i2JixNJbmfbPI/kAmgciGmgNqztj3c33MPmu506uImXtuxEJrNpeR6iR9ZlqlJPpai5Qqb Qk3rTavbQlV0yFvFLOh2VuaGVgHi6nLqJ5Izti5vekYmhO0zUTzHKm11Q/Jii5msCeQewv fOkBYYM4TCuZ/kQiNBqOgmj6zklkhcZC7RMmNdPgBKEUWnJVAi6zKSIoFY5GNBsCtVh1yc E1TcaDJ77GkPWrmGj+ERHAofBRqHNgGr7ENkeWUoVAcHEe0ifGW1wO2VvdB4EQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=cCtVG11Y; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=student.tugraz.at (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1707396021; a=rsa-sha256; cv=none; b=Qd6Obic3TzBMwnUCrFObeanaaw/EfpSrzvpM8M8PNB/xJgkkLHSd7MpHPT8ERGPIUDXQBx XBH7PrLtvd71jKQEn6b7RUqnBefCy5lHpAeb7qXBM+0x44PH+XihGnxMmuYtYh4iv7Ov6s adlS3lgJDo53s1DweThI3RqWTWMyTt3yEkjHUHKoJffL7pnFJ+9x17olnyjbUOmL57dKZg mmlKGYPUwXMqdaVPOIjM5PlK64d8xHnMjla+ML3c22vL6SzM6pnyO6sebQfqpqGCRx1XrH TAhkSlUq0FU2jdbkI/W1WbGlTEUdnJIabhHsndSofO6q0V6nv1QCd0gnNT3+2w== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 05AB814409 for ; Thu, 8 Feb 2024 13:40:21 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rY3h2-00088g-Hu; Thu, 08 Feb 2024 07:39:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rY3gy-00088O-0a for bug-guix@gnu.org; Thu, 08 Feb 2024 07:39:48 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rY3gx-0001De-OT for bug-guix@gnu.org; Thu, 08 Feb 2024 07:39:47 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rY3hC-0006Jl-2d for bug-guix@gnu.org; Thu, 08 Feb 2024 07:40:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#68961: ASLR seems to be partially broken Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 08 Feb 2024 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 68961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Jonathan Brielmaier , 68961@debbugs.gnu.org Received: via spool by 68961-submit@debbugs.gnu.org id=B68961.170739599124248 (code B ref 68961); Thu, 08 Feb 2024 12:40:02 +0000 Received: (at 68961) by debbugs.gnu.org; 8 Feb 2024 12:39:51 +0000 Received: from localhost ([127.0.0.1]:59315 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rY3gz-0006J0-Un for submit@debbugs.gnu.org; Thu, 08 Feb 2024 07:39:50 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:39464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rY07g-00051n-PZ for 68961@debbugs.gnu.org; Thu, 08 Feb 2024 03:51:10 -0500 Received: from kagayaki.local (unknown [185.197.47.246]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4TVrL21VCJz3wlS; Thu, 8 Feb 2024 09:50:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1707382250; bh=EWlwY4HVkQzbavc5LNPKBIG2OEKYjlJ0HC9VmDE0FgA=; h=Subject:From:To:Date:In-Reply-To:References; b=cCtVG11YTS7lEZ8D4PRN45PIJjoulfgSmDEXETex8CXShocgSF1PjB8cN6TexCL3n aok8OURbv/FYy/OrxoIPZm0ZkMD6ebh0u8g041GAXfqHc+Ajl6NoVb/78vwPFA1lkd TyP8Nx4poBhN+Ry7Q0gmoUZHIRgZnW1we89CH488= Message-ID: From: Liliana Marie Prikler Date: Thu, 08 Feb 2024 09:50:49 +0100 In-Reply-To: <9d2a36ae-983d-44a2-94f7-8e6aff389a05@web.de> References: <9d2a36ae-983d-44a2-94f7-8e6aff389a05@web.de> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 X-Mailman-Approved-At: Thu, 08 Feb 2024 07:39:48 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 2.14 X-Migadu-Scanner: mx13.migadu.com X-Spam-Score: 2.14 X-Migadu-Queue-Id: 05AB814409 X-TUID: LJoUfkoMiYti Am Dienstag, dem 06.02.2024 um 23:57 +0100 schrieb Jonathan Brielmaier: > Hi, >=20 > I found today an interesting blog post about broken ASLR (Address > Space > Layout Randomization) on Linux: > https://zolutal.github.io/aslrnt/ >=20 > Curious if this is also a problem on Guix System I did a quick test. >=20 > ``` > $ cat aslr.py > from subprocess import check_output > result =3D 0x0 > for _ in range(0,1000): > =C2=A0=C2=A0=C2=A0=C2=A0 out =3D check_output("cat /proc/self/maps | grep= libc | head -n1", > shell=3DTrue).decode() > =C2=A0=C2=A0=C2=A0=C2=A0 base_address =3D int(out.split('-')[0], 16) > =C2=A0=C2=A0=C2=A0=C2=A0 result |=3D base_address > print('libc: ' + hex(result)) >=20 > resultld =3D 0x0 > for _ in range(0,1000): > =C2=A0=C2=A0=C2=A0=C2=A0 out =3D check_output("cat /proc/self/maps | grep= ld-linux | head > -n1", shell=3DTrue).decode() > =C2=A0=C2=A0=C2=A0=C2=A0 base_address =3D int(out.split('-')[0], 16) > =C2=A0=C2=A0=C2=A0=C2=A0 resultld |=3D base_address > print('ld-linux: ' + hex(resultld)) > ``` >=20 > Running this on x86_64 system of mine results on two systems in: > libc: 0x7ffffffa9000 > ld-linux: 0x7ffffffff000 >=20 > On the third system it prints: > libc: 0x7ffffffff000 > ld-linux: 0x7ffffffff000 On my machine, this also prints 0x7ffffffff000. Perhaps 1000 runs are not good enough to get truly random results with some RNGs. Note that we do have 51 bits of randomness here =E2=80=93 perhaps not ideal, but afai= k the best we can do without breaking alignment. > For 32bit it looks even worse (not sure if it's correct to test it > like > this): > $ guix shell --system=3Di686-linux coreutils python -- python3 aslr.py > libc: 0xf7800000 > ld-linux: 0xf7fff000 >=20 > Not sure what we should do here. There seem to be some a kernel patch > for Ubuntu available: For 32 bit, try=C2=A0 ``` from subprocess import check_output result =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep libc | head -n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) result &=3D base_address print('libc: ' + hex(result)) resultld =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep ld-linux | head - n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) resultld &=3D base_address print('ld-linux: ' + hex(resultld)) from subprocess import check_output result =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep libc | head -n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) result &=3D base_address print('libc: ' + hex(result)) resultld =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep ld-linux | head - n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) resultld &=3D base_address print('ld-linux: ' + hex(resultld)) ``` instead. I get 0xf7c00000 for libc and 0xf7e00000 =E2=80=93 meaning that t= he first nibble is always the same, but more importantly, these are also the addresses you'd get on each run. So I'm pretty sure that ASLR'nt applies to our 32 bit builds. Since this is a known bug in the Linux kernel, I'd like to check whether there's a fix we can backport. We could of course also patch our config aux-files like Ubuntu does in the meantime. Cheers