Re: state of security hardening build flag efforts
Russ Allbery wrote:
> Uoti Urpala <uoti.urpala@pp1.inet.fi> writes:
> > Russ Allbery wrote:
>
> >> +pie causes a fairly ordinary regular binary (gnubg) to die with a bus
> >> error immediately upon execution. If someone could figure out why and
> >> whether it's a general class of problems or something peculiar to that
> >> code, I'd be feeling more optimistic about enabling PIE more broadly.
>
> > I tried building it with +pie on AMD64. It ran without crashing.
>
> Try on i386. That's where I had the problem. (Sorry, I should have said
> that.)
I tried it on i386 now. The binary didn't start; however, I did not see
any bus error. Rather, the kernel immediately kills the new process with
SIGKILL before any code starts executing. The issue is triggered by the
huge static amMoves array declared in eval.c function GenerateMoves, and
only occurs with address space randomization enabled (it runs fine under
gdb by default, unless you do "set disable-randomization off"). The
following program demonstrates the same issue if compiled with -pie:
char a[195000000];
int main(void) { return a; }
I think the reason for this behavior is that with address space
randomization and PIE the array is placed in or above the mmap segment
of process memory, and that has a predetermined size which may be too
small for big objects. The same program actually works if I use "ulimit
-s 500000", which reserves more space at the top of the address space.
Reply to: