Possibly a bug in glibc around the getrandom(2) implementation.

Marcin Mielniczuk marmistrz.dev@zoho.eu
Mon Jul 17 10:20:00 GMT 2017 

I decided to start printing the rsp to the stdout, in the following way:
                     register unsigned long rsp asm("rsp");
                     printf("rsp is %p\n", (void*) rsp);

This time, it appeared that the regions are completely contained in the 
stack but the stack pointer is totally out of the stack, because it's 
always: 0x7ffc6fbc5700. In the dumped memory map:

                     7ffd21f80000-7ffd21fa1000 rw-p 00000000 00:00 
0                          [stack]

while the buffers are 7ffd21f9[c910-d2d0] and 7ffd21f9[c1a0-cb60]. And 
even after removing the printf, the buffers are completely inside the 
stack. I don't know why they previously weren't.

On the other hand, it appears that any file descriptor operation (but 
not printing the rsp!! this changes nothing) magically "fixes" the bug. 
I discovered it while doing `system("cat /proc/<PID>/maps")`, but it's 
enough to do a successful `open` or `socket` call
Successful, that's important. Opening a nonexistent file is no fix!

I managed to attach gdb using the following trick:

                     register unsigned long rsp asm("rsp");
                     printf("rsp is %p\n", (void*) rsp);
                     if (n == 1) {
                         kill(pid, SIGSTOP);
                         ptrace(PTRACE_DETACH, pid, 0, 0);
                     }

                     n++;

While the std output was:

         getrandom request: 0x00007fa6516d49a0 0x00007fa6516d49b8
         rsp is 0x7fff6a96fd60
         getrandom request: 0x00007ffe70e43e90 0x00007ffe70e44850
         rsp is 0x7fff6a96fd60

the gdb reported a lower stack pointer:

         rsp            0x7ffe70e436b8    0x7ffe70e436b8

It's lower than our buffer address, which is ok. Looks like something 
else is smashing the stack...

On 14.07.2017 17:24, Carlos O'Donell wrote:
> On 07/14/2017 11:04 AM, Marcin Mielniczuk wrote:
>> On the other hand, the error I'm experiencing happens only if I'm
>> overwriting memory with PTRACE_POKEUSER and gdb won't load a
>> scriptable file with a shebang. Should I simply print the RSP
>> register in my C utility before overwriting the buffer?
> That is a good idea. Likewise you can try to reduce your problem to
> something you _can_ debug, for example if you can deatch your tracer
> and leave the program in a loop, then you can attach gdb and inspect
> the state.
>

More information about the Libc-help mailing list