grsecurity forums

Hello

I use Grsecurity and i like it.
However i have a problem with the ASLR and PT_PAX_FLAGS : i can't totally disable the ASLR on a program.
For example : I disable all the flags on a dummy program (that just show the adress of a buffer on the stack)
then, the buffer is still moving with an adress of this kind : 0xbffffxx8

Is there a way to totally disable the ASLR just for one program ? (without using randomize_va_space)

Thank you
Hakril

Hakril wrote:Is there a way to totally disable the ASLR just for one program ? (without using randomize_va_space)

PT_PAX_FLAGS controls only the randomization provided by PaX itself, it doesn't control the randomization present in vanilla kernels. for the latter you'll need to enable the ADDR_NO_RANDOMIZE personality flag (setarch -R). as a sidenote, randomize_va_space disables both kinds of randomizations.

PaX Team wrote:for the latter you'll need to enable the ADDR_NO_RANDOMIZE personality flag (setarch -R).

Thank you for your answer.
But the problem is that "setarch -R" don't have any effect on my grsecurity-patched kernel whereas it works very well on my standard kernel

Hakril wrote:But the problem is that "setarch -R" don't have any effect on my grsecurity-patched kernel whereas it works very well on my standard kernel

doh, i just remembered, setarch works fine, but it's PaX which randomizes the stack pointer in two separate steps and one of them cannot be controlled except by randomize_va_space because at that point the new personality hasn't been established yet and using the current one is dangerous (it'd be possible to run suid programs without this randomization) nor do we have access to PT_PAX_FLAGS this early.

PaX Team wrote:

Hakril wrote:But the problem is that "setarch -R" don't have any effect on my grsecurity-patched kernel whereas it works very well on my standard kernel

doh, i just remembered, setarch works fine, but it's PaX which randomizes the stack pointer in two separate steps and one of them cannot be controlled except by randomize_va_space because at that point the new personality hasn't been established yet and using the current one is dangerous (it'd be possible to run suid programs without this randomization) nor do we have access to PT_PAX_FLAGS this early.

Hi,

PaxTeam, could you point me to that early randomization code ? I'm trying to deactivate this but I don't find the place where it is done ... This is for security exercises with growing difficulty, suid not a problem in my case.

Thanks,
Aurelf

it's the hunk in fs/exec.c:__bprm_mm_init under CONFIG_PAX_RANDUSTACK.

Thanks.
For the record, here is an ugly patch that deactivates half of stack randomization for all programs
(actually seem easier in this case) and makes the rest controlled by paxctl. The result is good for my purpose
and I leave it there in case it could be useful to someone else (that hopefully understand that this patch has
no other point than actually reducing the security of the system...).

Code: Select all

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index be797cf..c22cfad 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1016,7 +1016,8 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
 #endif
 
    if ((current->flags & PF_RANDOMIZE) &&
-      !(current->personality & ADDR_NO_RANDOMIZE)) {
+      !(current->personality & ADDR_NO_RANDOMIZE)
+           && current->mm->pax_flags & MF_PAX_RANDMMAP) {
       random_variable = (unsigned long) get_random_int();
       random_variable &= STACK_RND_MASK;
       random_variable <<= PAGE_SHIFT;
@@ -1282,7 +1283,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
    if (elf_read_implies_exec(loc->elf_ex, executable_stack))
       current->personality |= READ_IMPLIES_EXEC;
 
-   if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
+   if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space
+       && current->mm->pax_flags & MF_PAX_RANDMMAP)
       current->flags |= PF_RANDOMIZE;
 
    setup_new_exec(bprm);
diff --git a/fs/exec.c b/fs/exec.c
index 122301f..5a26c33 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -322,11 +322,6 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
    up_write(&mm->mmap_sem);
    bprm->p = vma->vm_end - sizeof(void *);
 
-#ifdef CONFIG_PAX_RANDUSTACK
-   if (randomize_va_space)
-      bprm->p ^= prandom_u32() & ~PAGE_MASK;
-#endif
-
    return 0;
 err:
    up_write(&mm->mmap_sem);


the randomize_stack_top hunk is kinda pointless because RANDUSTACK handling is above it . in general, why don't you just disable CONFIG_PAX_RANDUSTACK?