ASLR sometimes stops working on Vista with 1.7? [was: Re: Cygwin 1.7 release (was ...)]

Charles Wilson cygwin@cwilson.fastmail.fm
Sun Jun 7 12:42:00 GMT 2009


Corinna Vinschen wrote:
> The structure is allocated right after the space occupied by the DLL
> itself, using VirtualAlloc.  I changed the struct layout so that the
> size depends on the length of the pathname to the DLL.  In most, if not
> all cases this will fit into a single 4K page.
...
> However, in most cases the DLL itself will not occupy the
> entire 64K slot, but one or more 4K pages are left free, which will
> never be used while the application is running.

So, while the following are probably not practical concerns, there are
still a few failure modes, correct?

1) if the ImageSize of the DLL is between N*64k-4k+1 and N*64k, the next
4k page allocated for the struct will again clobber the next DLL's ImageBase

2) if the length of the actual pathname to the DLL is more than 2k wide
characters (e.g. 4k bytes) then issue #1 is made increasingly likely,
because the "dangerous DLL size" becomes N*64k-M*4k+1 .. N*64k, with
1<M<=16.  Once the pathname to the DLL gets to be near 32k wide chars
(e.g. M=16, for 64k bytes in the struct) then the new solution devolves
to the status quo ante.

3) This new solution can never work properly for WOW64

However, for all *three* issues, the workaround exists to simply rebase
with -o 0x20000. [*] I think this issue should go in the 1.7 FAQ --
along with a mention of the three remaining failure modes and the brute
force 0x20000 workaround.

[*] This still doesn't ALWAYS solve the theoretical problem, but should
be a decent practical workaround, even for 1), 2) and 3), even if you're
already so unlucky that Corinna's new solution doesn't work for you.
First, 0x20000 only helps for very small DLLs -- fortunately, they cause
this problem most often. Second, the struct, if it needs to contain an
entire 64k byte (32k word) path, then it needs/uses slightly more than
64k bytes itself -- so you need to bump 0x20000 up another 64k.  But
this would almost never happen, and the cost is prohibitive: all tiny
DLLs now take up almost 3x as much memory -- 192k vs. < 64k -- as they
ordinarily would.  As Yaakov showed, this almost guarantees that you'd
run out of acceptable rebase addresses.

> I tested this change on XP 32 bit, 2K8 32 bit, W7 32 bit, and W7 64 bit,
> by running `cygport automake1.11 compile' and a subsequent `make check',
> which uses perl (and thus run-time loaded DLLs) a lot.

Hallelujah!

--
Chuck

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list