Page MenuHomePhabricator

Introduce CheckASLR() in sanitizers
ClosedPublic

Authored by krytarowski on May 28 2018, 12:36 AM.

Details

Summary

At least the ASan, MSan, TSan sanitizers require disabled ASLR on a NetBSD.

Introduce a generic CheckASLR() routine, that implements a check for the
current process. This flag depends on the global or per-process settings.

There is no simple way to disable ASLR in the build process from the
level of a sanitizer or during the runtime execution.

With ASLR enabled sanitizers that operate over the process virtual address
space can misbehave usually breaking with cryptic messages.

This check is dummy for !NetBSD.

Sponsored by <The NetBSD Foundation>

Diff Detail

Event Timeline

krytarowski created this revision.May 28 2018, 12:36 AM

Is disabling ASLR required just because of the hardcoded heap base addresses or is there more to it?

In the PaX ASLR NetBSD implementation we add a random offset to all allocations including text (for PIE programs), heap and stack.

This means that the program can be in so wide ranges in the address space that it's not possible to use certain sanitizers without disabling ASLR.

ASan is more tolerant and it sometimes works with PaX ASLR, but it's mandatory for TSan and MSan.

135 kamil@rugged /home/kamil $ cat /proc/self/map 
0xd4800000 0xd4803000 r-x r-x COW NC 1 0 0
0xd4a02000 0xd4a03000 r-- rw- COW NNC 1 0 0
0xd4a03000 0xd4a04000 rw- rw- COW NNC 1 0 0
0x7ec318000000 0x7ec318003000 r-x r-x COW NC 1 0 0
0x7ec318003000 0x7ec318202000 --- r-x COW NC 1 0 0
0x7ec318202000 0x7ec318203000 rw- rw- COW NNC 1 0 0
0x7ec318400000 0x7ec318551000 r-x r-x COW NC 1 0 0
0x7ec318551000 0x7ec318750000 --- r-x COW NC 1 0 0
0x7ec318750000 0x7ec318757000 r-- rw- COW NNC 1 0 0
0x7ec318757000 0x7ec31875d000 rw- rw- COW NNC 1 0 0
0x7ec31875d000 0x7ec31876e000 rw- rw- COW NNC 1 0 0
0x7ec318800000 0x7ec318810000 rw- rw- COW NNC 1 0 0
0x7ec318810000 0x7ec318900000 rw- rw- COW NNC 1 0 0
0x7ec318929000 0x7ec318933000 rw- rw- COW NNC 1 0 0
0x7f7e88400000 0x7f7e88410000 r-x r-x COW NC 1 0 0
0x7f7e88410000 0x7f7e88610000 --- --- COW NC 1 0 0
0x7f7e88610000 0x7f7e88611000 rw- rw- COW NNC 1 0 0
0x7f7e88611000 0x7f7e88612000 rw- rw- COW NNC 1 0 0
0x7f7ff7eff000 0x7f7ffefd4000 --- --- COW NC 1 0 0
0x7f7ffefd4000 0x7f7fff3d0000 rw- rw- COW NC 1 0 0
0x7f7fff3d0000 0x7f7fff3d4000 rw- rw- COW NNC 1 0 0
136 kamil@rugged /home/kamil $ cat /proc/self/map 
0x17b000000 0x17b003000 r-x r-x COW NC 1 0 0
0x17b202000 0x17b203000 r-- rw- COW NNC 1 0 0
0x17b203000 0x17b204000 rw- rw- COW NNC 1 0 0
0x6f8473e00000 0x6f8473e03000 r-x r-x COW NC 1 0 0
0x6f8473e03000 0x6f8474002000 --- r-x COW NC 1 0 0
0x6f8474002000 0x6f8474003000 rw- rw- COW NNC 1 0 0
0x6f8474100000 0x6f8474110000 rw- rw- COW NNC 1 0 0
0x6f8474110000 0x6f8474200000 rw- rw- COW NNC 1 0 0
0x6f8474200000 0x6f8474351000 r-x r-x COW NC 1 0 0
0x6f8474351000 0x6f8474550000 --- r-x COW NC 1 0 0
0x6f8474550000 0x6f8474557000 r-- rw- COW NNC 1 0 0
0x6f8474557000 0x6f847455d000 rw- rw- COW NNC 1 0 0
0x6f847455d000 0x6f847456e000 rw- rw- COW NNC 1 0 0
0x6f847468b000 0x6f8474695000 rw- rw- COW NNC 1 0 0
0x7f7f0d000000 0x7f7f0d010000 r-x r-x COW NC 1 0 0
0x7f7f0d010000 0x7f7f0d210000 --- --- COW NC 1 0 0
0x7f7f0d210000 0x7f7f0d211000 rw- rw- COW NNC 1 0 0
0x7f7f0d211000 0x7f7f0d212000 rw- rw- COW NNC 1 0 0
0x7f7ff7eff000 0x7f7fff871000 --- --- COW NC 1 0 0
0x7f7fff871000 0x7f7fffc60000 rw- rw- COW NC 1 0 0
0x7f7fffc60000 0x7f7fffc71000 rw- rw- COW NNC 1 0 0
137 kamil@rugged /home/kamil $ cat /proc/self/map 
0x1ef200000 0x1ef203000 r-x r-x COW NC 1 0 0
0x1ef402000 0x1ef403000 r-- rw- COW NNC 1 0 0
0x1ef403000 0x1ef404000 rw- rw- COW NNC 1 0 0
0x7e4bc1c00000 0x7e4bc1c03000 r-x r-x COW NC 1 0 0
0x7e4bc1c03000 0x7e4bc1e02000 --- r-x COW NC 1 0 0
0x7e4bc1e02000 0x7e4bc1e03000 rw- rw- COW NNC 1 0 0
0x7e4bc1f00000 0x7e4bc1f10000 rw- rw- COW NNC 1 0 0
0x7e4bc1f10000 0x7e4bc2000000 rw- rw- COW NNC 1 0 0
0x7e4bc2000000 0x7e4bc2151000 r-x r-x COW NC 1 0 0
0x7e4bc2151000 0x7e4bc2350000 --- r-x COW NC 1 0 0
0x7e4bc2350000 0x7e4bc2357000 r-- rw- COW NNC 1 0 0
0x7e4bc2357000 0x7e4bc235d000 rw- rw- COW NNC 1 0 0
0x7e4bc235d000 0x7e4bc236e000 rw- rw- COW NNC 1 0 0
0x7e4bc2462000 0x7e4bc246c000 rw- rw- COW NNC 1 0 0
0x7f7f4fe00000 0x7f7f4fe10000 r-x r-x COW NC 1 0 0
0x7f7f4fe10000 0x7f7f50010000 --- --- COW NC 1 0 0
0x7f7f50010000 0x7f7f50011000 rw- rw- COW NNC 1 0 0
0x7f7f50011000 0x7f7f50012000 rw- rw- COW NNC 1 0 0
0x7f7ff7eff000 0x7f7fffa75000 --- --- COW NC 1 0 0
0x7f7fffa75000 0x7f7fffe70000 rw- rw- COW NC 1 0 0
0x7f7fffe70000 0x7f7fffe75000 rw- rw- COW NNC 1 0 0
vitalybuka accepted this revision.Jun 4 2018, 1:19 PM
vitalybuka added inline comments.
lib/sanitizer_common/sanitizer_linux.cc
1961

sizeof(paxflags)

This revision is now accepted and ready to land.Jun 4 2018, 1:19 PM
Closed by commit rCRT333985: Introduce CheckASLR() in sanitizers (authored by kamil, committed by ). · Explain WhyJun 5 2018, 12:34 AM
This revision was automatically updated to reflect the committed changes.

Question out of curiosity, should HardenedBSD update this check as well ? Or maybe just keeping the diff in their side ...

I don't know about other BSDs, I've never installed them.

Sure but this is the only other BSD which has ASLR you can disable but HardenedBSD is a fork of FreeBSD even though it has somehow its own "identity". Was just wondering about the "worthiness" of this specific case :-)

They claim to sync with FreeBSD daily.. so perhaps they should first try to upstream ASLR to FreeBSD.

I wouldn't be surprised if they would drop it on some updates like the LibreSSL library...