From unknown Fri Jun 13 11:39:07 2025 X-Loop: help-debbugs@gnu.org Subject: bug#68961: ASLR seems to be partially broken Resent-From: Jonathan Brielmaier Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Feb 2024 22:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 68961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 68961@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.170726030027184 (code B ref -1); Tue, 06 Feb 2024 22:59:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Feb 2024 22:58:20 +0000 Received: from localhost ([127.0.0.1]:55335 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rXUOR-00074O-Ji for submit@debbugs.gnu.org; Tue, 06 Feb 2024 17:58:19 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60550) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rXUOP-00074B-MP for submit@debbugs.gnu.org; Tue, 06 Feb 2024 17:58:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rXUO6-0001a2-QQ for bug-guix@gnu.org; Tue, 06 Feb 2024 17:57:58 -0500 Received: from mout.web.de ([212.227.15.4]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rXUO4-00024P-Sm for bug-guix@gnu.org; Tue, 06 Feb 2024 17:57:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1707260273; x=1707865073; i=jonathan.brielmaier@web.de; bh=sOzlBjr3xzAqkJfRrPcx895QYl7bZxZNTAP1BIax4Jo=; h=X-UI-Sender-Class:Date:To:From:Subject; b=BABXnlxn5GUiNOShOw8GOuowU8Of9S9v81NcTS4EmCcHEO2SodiAjM/KGzpJib2b UmDmvLcMBfAf5kxhOlX4OQweeDarKbESoO3p2cMFyguBy06byOH52pwqEu8Stw7Mq whZ1aaukamvi5B3X7YrzaZUPGDt7a1V3K3emcOE8HychCKCjEjxphdkegspt/dl42 4+aYtcr4773+yTZfQh8LhXcXS8HWbR1zu67cyxw7YyUUtQD5wxMUy1TlfKojF4WPa GxHgmR+/5upzdB5wXuwKMRb7o2QXbwtjssz6cuJ3MHSO5Kbbb53SPQNpXCrKC/Xwn TO1GrAmo2NmueGXy5g== X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6 Received: from [192.168.178.29] ([77.182.101.62]) by smtp.web.de (mrweb006 [213.165.67.108]) with ESMTPSA (Nemesis) id 1MIL4K-1rljzJ3Q3g-00EKGN for ; Tue, 06 Feb 2024 23:57:53 +0100 Message-ID: <9d2a36ae-983d-44a2-94f7-8e6aff389a05@web.de> Date: Tue, 6 Feb 2024 23:57:53 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Content-Language: de-DE, en-US From: Jonathan Brielmaier Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:UtPv+J21q6tftCBW14+WbOkPm5Hogk3M3Ds9cvym3x4SVmV0G1v EulLwwhe+84mZ5JmPswjm+PFFcGlTSiR8ne9yzkNcy+mzhJtT4lI2yAVLd4X59MVWQkcKJf OX2RtOD1AyNOsQw6fAQ9a2fM2ygZaHyew5/kz5LK7OCOr8PNpfcK4GRWyaWAo4sd8zDpznJ cyPDqUdLpCHVPRUy/VIQA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:/H7MpW07zKY=;W4xfSWl58qOrf+6mWmS1LOb1KbP UL52WqfPTsnKTyZ8AvRLVgBQIXtbwmBfu/zfUMeWeRbFqD8IsmiatdDBVzVFg9cmoshfJANfu Ag7aPwc/LtPYBcav/EwGMrmYasNEP4rrU4jhBJalU3ePBrC/BSidE4UQQ5dvTNuCns0x6hTzw 2tnY9SvEwEPNBzcs9w++J6qRn1m7QqTnS9juo5l/rT8f8qM3p2xsSF/mXjx0UZucozErJgD5/ wY2IV+Y7qsTZSV1yemWvDBlbdmzNw2ZVSk2JGDNWuPsJ6i+8JWYQ/cqADmOdfUUXU3C1NEgau +7MpNjaw0Dq67T7h7jwX5UHH06nF+qyKdE+GVvCIDW6Pb295Kpgma0/zyP5XT/bbcCm7vuRP1 Mi8mBiLL0n2dV2P3BL4SLQbZbLKZZmqh8oYZ7V6qm9JVXqct8vlNXZONLd6fbPLiNHmDRhbgl s2xOE9hSiMcy4oUwzPgVg+H0TGKpR19vzPQVhkhDSdhsys7JbUdoy6h2bfnu4f4QwLONZwf39 AL/MPd5F9NHY2DB5l20v6nfLWaJetIFGQbHvNF2cPKlLUAY16TV1hS5k1kEiCe9rSpe4r30aH 2QpvOCWXQN+Obn8AV46Oij/W2L+6kETHHMRjJy0fdG9HP7htXwpeEHqEm8lNklrzYxokSkpLH pyykyqxtr4woBhunE/U2+TxtlimJL0Jt8qptrdcuktc/Pz82XM8QabCI3N667MR4lZV9fClG9 aewmCraVDPzlszy3wxKn+GtEZKVOMhjPdYmplIeWEc2tDLzArN6Ikg8nehpgvfx9DdcJrvQaE quyH0mds/5OakxPndmT46QVGFF+Bnhsg+8W65RDvKt4YA= Received-SPF: pass client-ip=212.227.15.4; envelope-from=jonathan.brielmaier@web.de; helo=mout.web.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) Hi, I found today an interesting blog post about broken ASLR (Address Space Layout Randomization) on Linux: https://zolutal.github.io/aslrnt/ Curious if this is also a problem on Guix System I did a quick test. ``` $ cat aslr.py from subprocess import check_output result =3D 0x0 for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep libc | head -n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) result |=3D base_address print('libc: ' + hex(result)) resultld =3D 0x0 for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep ld-linux | head -n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) resultld |=3D base_address print('ld-linux: ' + hex(resultld)) ``` Running this on x86_64 system of mine results on two systems in: libc: 0x7ffffffa9000 ld-linux: 0x7ffffffff000 On the third system it prints: libc: 0x7ffffffff000 ld-linux: 0x7ffffffff000 For 32bit it looks even worse (not sure if it's correct to test it like this): $ guix shell --system=3Di686-linux coreutils python -- python3 aslr.py libc: 0xf7800000 ld-linux: 0xf7fff000 Not sure what we should do here. There seem to be some a kernel patch for Ubuntu available: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/c= ommit/?h=3Dmaster-next&id=3D760c2b1fa1f5e95be1117bc7b80afb8441d4b002 ~Jonathan From unknown Fri Jun 13 11:39:07 2025 X-Loop: help-debbugs@gnu.org Subject: bug#68961: ASLR seems to be partially broken Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 08 Feb 2024 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 68961 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Jonathan Brielmaier , 68961@debbugs.gnu.org Received: via spool by 68961-submit@debbugs.gnu.org id=B68961.170739599124248 (code B ref 68961); Thu, 08 Feb 2024 12:40:02 +0000 Received: (at 68961) by debbugs.gnu.org; 8 Feb 2024 12:39:51 +0000 Received: from localhost ([127.0.0.1]:59315 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rY3gz-0006J0-Un for submit@debbugs.gnu.org; Thu, 08 Feb 2024 07:39:50 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:39464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rY07g-00051n-PZ for 68961@debbugs.gnu.org; Thu, 08 Feb 2024 03:51:10 -0500 Received: from kagayaki.local (unknown [185.197.47.246]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4TVrL21VCJz3wlS; Thu, 8 Feb 2024 09:50:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1707382250; bh=EWlwY4HVkQzbavc5LNPKBIG2OEKYjlJ0HC9VmDE0FgA=; h=Subject:From:To:Date:In-Reply-To:References; b=cCtVG11YTS7lEZ8D4PRN45PIJjoulfgSmDEXETex8CXShocgSF1PjB8cN6TexCL3n aok8OURbv/FYy/OrxoIPZm0ZkMD6ebh0u8g041GAXfqHc+Ajl6NoVb/78vwPFA1lkd TyP8Nx4poBhN+Ry7Q0gmoUZHIRgZnW1we89CH488= Message-ID: From: Liliana Marie Prikler Date: Thu, 08 Feb 2024 09:50:49 +0100 In-Reply-To: <9d2a36ae-983d-44a2-94f7-8e6aff389a05@web.de> References: <9d2a36ae-983d-44a2-94f7-8e6aff389a05@web.de> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 X-Spam-Score: -1.6 (-) X-Mailman-Approved-At: Thu, 08 Feb 2024 07:39:48 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Am Dienstag, dem 06.02.2024 um 23:57 +0100 schrieb Jonathan Brielmaier: > Hi, >=20 > I found today an interesting blog post about broken ASLR (Address > Space > Layout Randomization) on Linux: > https://zolutal.github.io/aslrnt/ >=20 > Curious if this is also a problem on Guix System I did a quick test. >=20 > ``` > $ cat aslr.py > from subprocess import check_output > result =3D 0x0 > for _ in range(0,1000): > =C2=A0=C2=A0=C2=A0=C2=A0 out =3D check_output("cat /proc/self/maps | grep= libc | head -n1", > shell=3DTrue).decode() > =C2=A0=C2=A0=C2=A0=C2=A0 base_address =3D int(out.split('-')[0], 16) > =C2=A0=C2=A0=C2=A0=C2=A0 result |=3D base_address > print('libc: ' + hex(result)) >=20 > resultld =3D 0x0 > for _ in range(0,1000): > =C2=A0=C2=A0=C2=A0=C2=A0 out =3D check_output("cat /proc/self/maps | grep= ld-linux | head > -n1", shell=3DTrue).decode() > =C2=A0=C2=A0=C2=A0=C2=A0 base_address =3D int(out.split('-')[0], 16) > =C2=A0=C2=A0=C2=A0=C2=A0 resultld |=3D base_address > print('ld-linux: ' + hex(resultld)) > ``` >=20 > Running this on x86_64 system of mine results on two systems in: > libc: 0x7ffffffa9000 > ld-linux: 0x7ffffffff000 >=20 > On the third system it prints: > libc: 0x7ffffffff000 > ld-linux: 0x7ffffffff000 On my machine, this also prints 0x7ffffffff000. Perhaps 1000 runs are not good enough to get truly random results with some RNGs. Note that we do have 51 bits of randomness here =E2=80=93 perhaps not ideal, but afai= k the best we can do without breaking alignment. > For 32bit it looks even worse (not sure if it's correct to test it > like > this): > $ guix shell --system=3Di686-linux coreutils python -- python3 aslr.py > libc: 0xf7800000 > ld-linux: 0xf7fff000 >=20 > Not sure what we should do here. There seem to be some a kernel patch > for Ubuntu available: For 32 bit, try=C2=A0 ``` from subprocess import check_output result =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep libc | head -n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) result &=3D base_address print('libc: ' + hex(result)) resultld =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep ld-linux | head - n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) resultld &=3D base_address print('ld-linux: ' + hex(resultld)) from subprocess import check_output result =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep libc | head -n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) result &=3D base_address print('libc: ' + hex(result)) resultld =3D 0xffffffff for _ in range(0,1000): out =3D check_output("cat /proc/self/maps | grep ld-linux | head - n1", shell=3DTrue).decode() base_address =3D int(out.split('-')[0], 16) resultld &=3D base_address print('ld-linux: ' + hex(resultld)) ``` instead. I get 0xf7c00000 for libc and 0xf7e00000 =E2=80=93 meaning that t= he first nibble is always the same, but more importantly, these are also the addresses you'd get on each run. So I'm pretty sure that ASLR'nt applies to our 32 bit builds. Since this is a known bug in the Linux kernel, I'd like to check whether there's a fix we can backport. We could of course also patch our config aux-files like Ubuntu does in the meantime. Cheers