This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/23323] [RFE] CSU startup hardening.
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 21 Jun 2018 06:43:32 +0000
- Subject: [Bug libc/23323] [RFE] CSU startup hardening.
- Auto-submitted: auto-generated
- References: <bug-23323-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=23323
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
What I don't understand here is why moving the code to libc.so.6 helps.
Wouldn't glibc then contain a very similar sequence? Certainly you'll need
another round of probing to find the base address of glibc, but then you'd be
in the same situation again.
We have looked at this code in an entirely different context (because it's
compiled with different hardening flags compared to the main executable), so
moving it may make sense, but it will make it impossible to run *any* binaries
compiled against a newer glibc on an older glibc.
The actual ASLR bypass seems to be due to the forking server not ree-execve-ing
itself after it observes a couple of crashing child processes. That allows you
to learn the stack canary and base addresses for the executable and likely some
of its libraries as well (and due to the constant offsets between libraries,
that gives you the address of all libraries).
--
You are receiving this mail because:
You are on the CC list for the bug.