Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 May 2014 20:23:18 -0600
From:      Ian Lepore <ian@FreeBSD.org>
To:        Shawn Webb <lattera@gmail.com>
Cc:        freebsd-current@FreeBSD.org
Subject:   Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable
Message-ID:  <1400811798.1152.304.camel@revolution.hippie.lan>
In-Reply-To: <20140514135852.GC3063@pwnie.vrt.sourcefire.com>
References:  <20140514135852.GC3063@pwnie.vrt.sourcefire.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2014-05-14 at 09:58 -0400, Shawn Webb wrote:
> Hey All,
> 
> [NOTE: crossposting between freebsd-current@, freebsd-security@, and
> freebsd-stable@. Please forgive me if crossposting is frowned upon.]
> 
> Address Space Layout Randomization, or ASLR for short, is an exploit
> mitigation technology. It helps secure applications against low-level
> exploits. A popular secure implementation is known as PaX ASLR, which is
> a third-party patch for Linux. Our implementation is based off of PaX's.
> 
> Oliver Pinter, Danilo Egea, and I have been working hard to bring more
> features and robust stability to our ASLR patches. We've done extensive
> testing on amd64. We'd like to get as many people testing these patches.
> Given the nature of them, we'd also like as many eyeballs reviewing the
> code as well.
> 
> I have a Raspberry Pi and have noticed a few bugs. On ARM (at least, on
> the RPI), when a parent forks a child, and the child gracefully exits,
> the parent segfaults with the pc register pointing to 0xc0000000. That
> address is always the same, no matter the application. If anyone knows
> the ARM architecture well, and how FreeBSD ties into it, I'd like a
> little guidance.
> 

I almost forgot about your question (I was really busy when it first
arrived), sorry for the long delay.

I guess you must be saying that this parent segfault on child exit
happens when your aslr patches are in place?  I've never seen anything
like that on arm.  The 0xc0000000 address is the start of the kernel
address space.  Also, the userland stack grows down from 0xbfffffff, so
walking off the top of the stack would hit that address.

-- Ian

> I also have a sparc64 box, but I'm having trouble getting a vanilla
> 11-current system to be stable on it. I ought to file a few PRs.
> 
> You can find links to the patches below.
> 
> Patch for 11-current:
> http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-current-aslr-segvguard-SNAPSHOT.diff
> 
> Patch for 10-stable:
> http://www.crysys.hu/~op/freebsd/patches/20140514091132-freebsd-stable-10-aslr-segvguard-SNAPSHOT.diff
> 
> Thanks,
> 
> Shawn Webb





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1400811798.1152.304.camel>