Skip to content

Commit

Permalink
PAX ASLR: fix mmap randomization which breaked by 3d154ea commit
Browse files Browse the repository at this point in the history 
After 3d154ea commit the paxtest's
output are this:

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
FreeBSD  11.0-CURRENT FreeBSD 11.0-CURRENT #3
d6b9ed4(op/hardened/current/aslr-devel)-dirty: Fri Aug  8 17:06:55
CEST 2014     op@pandora-d:/tmp/amd64-objdir/usr/data/source/git/opBSD/opBSD.git/sys/GENERIC
 amd64

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : No randomisation
Heap randomisation test (ET_EXEC)        : 2 bits (guessed)
Heap randomisation test (PIE)            : 12 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 21 bits (guessed)
Shared library randomisation test        : No randomisation
Stack randomisation test (SEGMEXEC)      : 15 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 16 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 17 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 17 bits (guessed)
Randomization under memory exhaustion @~0: No randomisation
Randomization under memory exhaustion @0 : No randomisation
Return to function (strcpy)              : paxtest: return address
contains a NULL byte.
Return to function (strcpy, PIE)         : paxtest: return address
contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, PIE)         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

After partially revert the mentioned commit, the paxtest's output fixed:

FreeBSD pandora-d 10.0-STABLE FreeBSD 10.0-STABLE #72
6fd52c6(op/stable/10/opbsd-aslr): Sat Aug  9 02:33:44 CEST 2014     root@pandora-d:/usr/obj/usr/src/sys/OP-ASLR  amd64

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 21 bits (guessed)
Heap randomisation test (ET_EXEC)        : 11 bits (guessed)
Heap randomisation test (PIE)            : 12 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 21 bits (guessed)
Shared library randomisation test        : 21 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 15 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 16 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 17 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 16 bits (guessed)
Randomization under memory exhaustion @~0: 22 bits (guessed)
Randomization under memory exhaustion @0 : 21 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (memcpy, PIE)         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
  • Loading branch information
@opntr
opntr committed Aug 9, 2014
1 parent 1358480 commit 190c95d
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions sys/vm/vm_mmap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,9 +321,6 @@ sys_mmap(td, uap)
* location.
*/
PROC_LOCK(td->td_proc);
#ifdef PAX_ASLR
pax_aslr_mmap(td->td_proc, &addr, orig_addr, flags);
#endif
if (addr == 0 ||
(addr >= round_page((vm_offset_t)vms->vm_taddr) &&
addr < round_page((vm_offset_t)vms->vm_daddr +
Expand Down Expand Up @@ -432,6 +429,9 @@ sys_mmap(td, uap)
map:
td->td_fpop = fp;
maxprot &= cap_maxprot;
#ifdef PAX_ASLR
pax_aslr_mmap(td->td_proc, &addr, orig_addr, flags);
#endif
error = vm_mmap(&vms->vm_map, &addr, size, prot, maxprot,
flags, handle_type, handle, pos);
td->td_fpop = NULL;
Expand Down

0 comments on commit 190c95d

Please sign in to comment.