[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug ld/30877] New: [BUG][RISCV]relro protection not working in riscv
From: |
akhilesh.k at samsung dot com |
Subject: |
[Bug ld/30877] New: [BUG][RISCV]relro protection not working in riscv |
Date: |
Fri, 22 Sep 2023 04:28:11 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30877
Bug ID: 30877
Summary: [BUG][RISCV]relro protection not working in riscv
Product: binutils
Version: 2.40
Status: NEW
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: akhilesh.k at samsung dot com
Target Milestone: ---
below linker issue reported in gcc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111518
> Andreas Schwab 2023-09-21 13:21:49 UTC
> That's a linker bug, please report to https://sourceware.org/bugzilla/.
================================================================================
-z,relro and/or -z,now flag not working on riscv arch.
Address of printf overwritten to custom address passed as argument, but it
expected to be readonly when full relro protection is enabled
Test code to reproduce(test_relro.c):
-----------------------------------------------
#include <stdio.h>
#include <stdlib.h>
int main(int argc, int *argv[])
{
size_t *p = (size_t *) strtol(argv[1], NULL, 16);
p[0] = 0xdeadbeef;
printf("RELRO: %p\n", p);
return 0;
}
-----------------------------------------------
Steps to reproduce:
1. Turn off ASLR:
echo 0 > /proc/sys/kernel/randomise_va_space
1. Compile with -z,relro,-z,now flag:
gcc -g -Wl,-z,relro,-z,now -O0 -o test_partial test_relro.c
2. Check printf address in GOT:
sattdeepan@sri-9052:~$ objdump -R test_partial | grep printf
0000000000012020 R_RISCV_JUMP_SLOT printf@GLIBC_2.27
3. Running with gdb:
gdb -q test_partial
4. Get load address of printf function:
<base address of main> - <main offset> + <printf offset in GOT>
0x10586 - 0x10586 + 0x12020 ==> 0x12020
5. Pass load address of main as argument
gdb-peda$ r 0x12020
Starting program: /home/user/test_full_riscv 0x12020
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/riscv64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
Warning: 'set logging off', an alias for the command 'set logging enabled', is
deprecated.
Use 'set logging enabled off'.
Warning: 'set logging on', an alias for the command 'set logging enabled', is
deprecated.
Use 'set logging enabled on'.
0x00000000deadbeee in ?? () ====> address of printf overwritten to custom
address passed as argument, but it expected to be readonly
gdb-peda$
================================================================================
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug ld/30877] New: [BUG][RISCV]relro protection not working in riscv,
akhilesh.k at samsung dot com <=
- [Bug ld/30877] [BUG][RISCV]relro protection not working in riscv, akhilesh.k at samsung dot com, 2023/09/22
- [Bug ld/30877] [BUG][RISCV]relro protection not working in riscv, akhilesh.k at samsung dot com, 2023/09/22
- [Bug ld/30877] [BUG][RISCV]relro protection not working in riscv, address@hidden, 2023/09/22
- [Bug ld/30877] [BUG][RISCV]relro protection not working in riscv, cvs-commit at gcc dot gnu.org, 2023/09/25
- [Bug ld/30877] [BUG][RISCV]relro protection not working in riscv, akhilesh.k at samsung dot com, 2023/09/25
- [Bug ld/30877] [BUG][RISCV]relro protection not working in riscv, address@hidden, 2023/09/27