Hello
I use Grsecurity and i like it.
However i have a problem with the ASLR and PT_PAX_FLAGS : i can't totally disable the ASLR on a program.
For example : I disable all the flags on a dummy program (that just show the adress of a buffer on the stack)
then, the buffer is still moving with an adress of this kind : 0xbffffxx8
Is there a way to totally disable the ASLR just for one program ? (without using randomize_va_space)
Thank you
Hakril
Can't disable ASLR
8 posts
• Page 1 of 1
Can't disable ASLR
by Hakril » Wed Jun 15, 2011 5:46 am
- Hakril
- Posts: 2
- Joined: Wed Jun 15, 2011 4:21 am
Re: Can't disable ASLR
by PaX Team » Wed Jun 15, 2011 6:50 am
PT_PAX_FLAGS controls only the randomization provided by PaX itself, it doesn't control the randomization present in vanilla kernels. for the latter you'll need to enable the ADDR_NO_RANDOMIZE personality flag (setarch -R). as a sidenote, randomize_va_space disables both kinds of randomizations.Hakril wrote:Is there a way to totally disable the ASLR just for one program ? (without using randomize_va_space)
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: Can't disable ASLR
by Hakril » Wed Jun 15, 2011 8:49 am
PaX Team wrote:for the latter you'll need to enable the ADDR_NO_RANDOMIZE personality flag (setarch -R).
Thank you for your answer.
But the problem is that "setarch -R" don't have any effect on my grsecurity-patched kernel whereas it works very well on my standard kernel
- Hakril
- Posts: 2
- Joined: Wed Jun 15, 2011 4:21 am
Re: Can't disable ASLR
by PaX Team » Wed Jun 15, 2011 9:51 am
doh, i just remembered, setarch works fine, but it's PaX which randomizes the stack pointer in two separate steps and one of them cannot be controlled except by randomize_va_space because at that point the new personality hasn't been established yet and using the current one is dangerous (it'd be possible to run suid programs without this randomization) nor do we have access to PT_PAX_FLAGS this early.Hakril wrote:But the problem is that "setarch -R" don't have any effect on my grsecurity-patched kernel whereas it works very well on my standard kernel
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: Can't disable ASLR
by aurelf » Thu Jan 14, 2016 9:06 pm
PaX Team wrote:doh, i just remembered, setarch works fine, but it's PaX which randomizes the stack pointer in two separate steps and one of them cannot be controlled except by randomize_va_space because at that point the new personality hasn't been established yet and using the current one is dangerous (it'd be possible to run suid programs without this randomization) nor do we have access to PT_PAX_FLAGS this early.Hakril wrote:But the problem is that "setarch -R" don't have any effect on my grsecurity-patched kernel whereas it works very well on my standard kernel
Hi,
PaxTeam, could you point me to that early randomization code ? I'm trying to deactivate this but I don't find the place where it is done ... This is for security exercises with growing difficulty, suid not a problem in my case.
Thanks,
Aurelf
- aurelf
- Posts: 4
- Joined: Thu Jan 14, 2016 8:27 pm
Re: Can't disable ASLR
by PaX Team » Sat Jan 16, 2016 7:44 am
it's the hunk in fs/exec.c:__bprm_mm_init under CONFIG_PAX_RANDUSTACK.
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: Can't disable ASLR
by aurelf » Mon Jan 18, 2016 6:34 pm
Thanks.
For the record, here is an ugly patch that deactivates half of stack randomization for all programs
(actually seem easier in this case) and makes the rest controlled by paxctl. The result is good for my purpose
and I leave it there in case it could be useful to someone else (that hopefully understand that this patch has
no other point than actually reducing the security of the system...).
For the record, here is an ugly patch that deactivates half of stack randomization for all programs
(actually seem easier in this case) and makes the rest controlled by paxctl. The result is good for my purpose
and I leave it there in case it could be useful to someone else (that hopefully understand that this patch has
no other point than actually reducing the security of the system...).
- Code: Select all
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index be797cf..c22cfad 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1016,7 +1016,8 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
#endif
if ((current->flags & PF_RANDOMIZE) &&
- !(current->personality & ADDR_NO_RANDOMIZE)) {
+ !(current->personality & ADDR_NO_RANDOMIZE)
+ && current->mm->pax_flags & MF_PAX_RANDMMAP) {
random_variable = (unsigned long) get_random_int();
random_variable &= STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
@@ -1282,7 +1283,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
+ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space
+ && current->mm->pax_flags & MF_PAX_RANDMMAP)
current->flags |= PF_RANDOMIZE;
setup_new_exec(bprm);
diff --git a/fs/exec.c b/fs/exec.c
index 122301f..5a26c33 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -322,11 +322,6 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
up_write(&mm->mmap_sem);
bprm->p = vma->vm_end - sizeof(void *);
-#ifdef CONFIG_PAX_RANDUSTACK
- if (randomize_va_space)
- bprm->p ^= prandom_u32() & ~PAGE_MASK;
-#endif
-
return 0;
err:
up_write(&mm->mmap_sem);
- aurelf
- Posts: 4
- Joined: Thu Jan 14, 2016 8:27 pm
Re: Can't disable ASLR
by PaX Team » Mon Jan 18, 2016 6:44 pm
the randomize_stack_top hunk is kinda pointless because RANDUSTACK handling is above it 
. in general, why don't you just disable CONFIG_PAX_RANDUSTACK?
. in general, why don't you just disable CONFIG_PAX_RANDUSTACK?- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
8 posts
• Page 1 of 1