Bug#589179: linux-image-2.6.26-2-686: heap base address is not randomised when randomize_va_space is set to 2
Package: linux-2.6
Version: 2.6.26-24
Severity: normal
Hi,
When running the latest stable Debian kernel the base address of a heap is not randomised regardless of the
setting for randomize_va_space (it is set to 2 by default). This can be observed by using a simple .c
program (below) or using the paxtest suite available from here:
http://grsecurity.net/~spender/paxtest-0.9.9.tgz
Please bear in mind that I only have tested this within virtualised environment and I have only tested a x86 system.
sample c program I used:
#include <stdio.h>
#include <stdlib.h>
void main() {
char * p = (char *) malloc(40*sizeof(char));
printf("address: %x\n",p);
}
compile and run:
gcc -o heap heap.c
watch -n 1 ./heap
reproducible: always
steps to reproduce:
- compile and run paxtest or simple .c program from above
expected results:
- randomised addressed for heap allocations - address of the malloc'ed var should be different each time the program is run.
For the paxtest - it should not report 'no randomisation' for 'Heap randomisation test (ET_EXEC)'
actual results:
- no randomisation of the heap base addresses.
-- Package-specific info:
** Version:
Linux version 2.6.26-2-686 (Debian 2.6.26-24) (dannf@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Mon Jun 21 05:58:44 UTC 2010
** Command line:
root=/dev/hda1 ro quiet
** Not tainted
** Kernel log:
[ 5.227996] usb 1-1: new full speed USB device using uhci_hcd and address 2
[ 5.485259] PM: Starting manual resume from disk
[ 5.517670] EXT3-fs: INFO: recovery required on readonly filesystem.
[ 5.517674] EXT3-fs: write access will be enabled during recovery.
[ 5.590701] usb 1-1: configuration #1 chosen from 1 choice
[ 5.643904] usb 1-1: New USB device found, idVendor=0627, idProduct=0001
[ 5.643909] usb 1-1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.643912] usb 1-1: Product: QEMU USB Tablet
[ 5.643914] usb 1-1: Manufacturer: QEMU 0.12.4
[ 5.643916] usb 1-1: SerialNumber: 1
[ 5.710778] usbcore: registered new interface driver hiddev
[ 5.735324] input: QEMU 0.12.4 QEMU USB Tablet as /class/input/input1
[ 5.739330] input,hidraw0: USB HID v0.01 Pointer [QEMU 0.12.4 QEMU USB Tablet] on usb-0000:00:01.2-1
[ 5.739330] usbcore: registered new interface driver usbhid
[ 5.739330] usbhid: v2.6:USB HID core driver
[ 6.359345] kjournald starting. Commit interval 5 seconds
[ 6.359345] EXT3-fs: recovery complete.
[ 6.359345] EXT3-fs: mounted filesystem with ordered data mode.
[ 9.039926] udevd version 125 started
[ 9.809803] udev: renamed network interface eth0 to eth6
[ 10.587020] piix4_smbus 0000:00:01.3: Found 0000:00:01.3 device
[ 10.797426] input: Power Button (FF) as /class/input/input2
[ 10.828746] ACPI: Power Button (FF) [PWRF]
[ 11.152352] input: PC Speaker as /class/input/input3
[ 11.368600] input: ImExPS/2 Generic Explorer Mouse as /class/input/input4
[ 11.472414] parport_pc 00:05: reported by Plug and Play ACPI
[ 11.472414] parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE]
[ 12.741775] Adding 489940k swap on /dev/hda5. Priority:-1 extents:1 across:489940k
[ 113.697388] EXT3 FS on hda1, internal journal
[ 114.415953] loop: module loaded
[ 121.243828] NET: Registered protocol family 10
[ 121.246126] lo: Disabled Privacy Extensions
[ 122.529155] lp0: using parport0 (interrupt-driven).
[ 122.667535] ppdev: user-space parallel port driver
[ 126.465548] eth6: link up, 100Mbps, full-duplex, lpa 0x05E1
[ 144.751798] eth6: no IPv6 routers present
[ 808.293430] BUG: soft lockup - CPU#0 stuck for 104s! [swapper:0]
[ 808.293430] Modules linked in: ppdev lp ipv6 cpufreq_ondemand cpufreq_stats freq_table cpufreq_userspace cpufreq_powersave cpufreq_conservative loop parport_pc parport pcspkr psmouse serio_raw button i2c_piix4 i2c_core joydev evdev usbhid hid ff_memless ext3 jbd mbcache ide_cd_mod cdrom ide_disk ata_generic libata scsi_mod 8139too dock floppy 8139cp mii uhci_hcd piix ide_pci_generic usbcore ide_core thermal processor fan thermal_sys [last unloaded: scsi_wait_scan]
[ 808.293430]
[ 808.293430] Pid: 0, comm: swapper Not tainted (2.6.26-2-686 #1)
[ 808.293430] EIP: 0060:[<c0114d94>] EFLAGS: 00000246 CPU: 0
[ 808.293430] EIP is at native_safe_halt+0x2/0x3
[ 808.293430] EAX: c0378000 EBX: c010265b ECX: 0104f000 EDX: 00012276
[ 808.293430] ESI: 00000000 EDI: c036c000 EBP: 00847007 ESP: c0379fe0
[ 808.293430] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 808.293430] CR0: 8005003b CR2: 085643ac CR3: 0ae94000 CR4: 000006d0
[ 808.293430] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 808.293430] DR6: ffff0ff0 DR7: 00000400
[ 808.293430] [<c0102688>] ? default_idle+0x2d/0x53
[ 808.293430] [<c01025d3>] ? cpu_idle+0xb0/0xd0
[ 808.293430] =======================
[ 978.033743] BUG: soft lockup - CPU#1 stuck for 158s! [dbus-daemon:2067]
[ 978.033743] Modules linked in: ppdev lp ipv6 cpufreq_ondemand cpufreq_stats freq_table cpufreq_userspace cpufreq_powersave cpufreq_conservative loop parport_pc parport pcspkr psmouse serio_raw button i2c_piix4 i2c_core joydev evdev usbhid hid ff_memless ext3 jbd mbcache ide_cd_mod cdrom ide_disk ata_generic libata scsi_mod 8139too dock floppy 8139cp mii uhci_hcd piix ide_pci_generic usbcore ide_core thermal processor fan thermal_sys [last unloaded: scsi_wait_scan]
[ 978.033743]
[ 978.033743] Pid: 2067, comm: dbus-daemon Not tainted (2.6.26-2-686 #1)
[ 978.033743] EIP: 0060:[<c012979b>] EFLAGS: 00000287 CPU: 1
[ 978.033743] EIP is at run_timer_softirq+0x16d/0x17c
[ 978.033743] EAX: 0001cb7d EBX: 0000007d ECX: 0001cb7e EDX: df46c3f4
[ 978.033743] ESI: deb35bb8 EDI: df46c000 EBP: c027a06b ESP: deb35bb8
[ 978.033743] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 978.033743] CR0: 8005003b CR2: 0855aea4 CR3: 0ae4f000 CR4: 000006d0
[ 978.033743] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 978.033743] DR6: ffff0ff0 DR7: 00000400
[ 978.033743] [<c0126669>] ? __do_softirq+0x66/0xd3
[ 978.033743] [<c012671b>] ? do_softirq+0x45/0x53
[ 978.033743] [<c01269d2>] ? irq_exit+0x35/0x69
[ 978.033743] [<c0110299>] ? smp_apic_timer_interrupt+0x6b/0x76
[ 978.033743] [<c0104368>] ? apic_timer_interrupt+0x28/0x30
[ 978.033743] [<c017f152>] ? do_sys_poll+0x140/0x2e7
[ 978.033743] [<c017fa0a>] ? __pollwait+0x0/0xac
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c011b73c>] ? default_wake_function+0x0/0x8
[ 978.033743] [<c0136198>] ? getnstimeofday+0x37/0xbc
[ 978.033743] [<c017f334>] ? sys_poll+0x3b/0x6e
[ 978.033743] [<c0103857>] ? sysenter_past_esp+0x78/0xb1
[ 978.033743] =======================
[ 2388.570877] hda: dma_timer_expiry: dma status == 0x21
[ 2399.059397] hda: DMA timeout error
[ 2399.379295] hda: dma timeout error: status=0xd8 { Busy }
[ 2399.379295] ide: failed opcode was: unknown
[ 2399.379295] hda: DMA disabled
[ 2399.440265] ide0: reset: success
** Model information
not available
** Loaded modules:
Module Size Used by
ppdev 6468 0
lp 8164 0
ipv6 235396 18
cpufreq_ondemand 6476 0
cpufreq_stats 3776 0
freq_table 4224 2 cpufreq_ondemand,cpufreq_stats
cpufreq_userspace 3172 0
cpufreq_powersave 1856 0
cpufreq_conservative 5960 0
loop 12748 0
parport_pc 22500 1
parport 30988 3 ppdev,lp,parport_pc
pcspkr 2432 0
psmouse 32336 0
serio_raw 4740 0
button 6096 0
i2c_piix4 7216 0
i2c_core 19828 1 i2c_piix4
joydev 8480 0
evdev 8000 2
usbhid 35872 0
hid 33184 1 usbhid
ff_memless 4392 1 usbhid
ext3 105576 1
jbd 39476 1 ext3
mbcache 7108 1 ext3
ide_cd_mod 27684 0
cdrom 30176 1 ide_cd_mod
ide_disk 10496 3
ata_generic 4676 0
libata 140448 1 ata_generic
scsi_mod 129548 1 libata
8139too 20384 0
dock 8304 1 libata
floppy 47844 0
8139cp 16800 0
mii 4896 2 8139too,8139cp
uhci_hcd 18672 0
piix 6568 0 [permanent]
ide_pci_generic 3908 0 [permanent]
usbcore 118224 3 usbhid,uhci_hcd
ide_core 96168 4 ide_cd_mod,ide_disk,piix,ide_pci_generic
thermal 15228 0
processor 32576 1 thermal
fan 4196 0
thermal_sys 10856 3 thermal,processor,fan
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:01.1 IDE interface [0101]: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II] [8086:7010] (prog-if 80 [Master])
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Region 0: [virtual] Memory at 000001f0 (32-bit, non-prefetchable) [size=8]
Region 1: [virtual] Memory at 000003f0 (type 3, non-prefetchable) [size=1]
Region 2: [virtual] Memory at 00000170 (32-bit, non-prefetchable) [size=8]
Region 3: [virtual] Memory at 00000370 (type 3, non-prefetchable) [size=1]
Region 4: I/O ports at c000 [size=16]
Kernel driver in use: PIIX_IDE
Kernel modules: piix
00:01.2 USB Controller [0c03]: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] [8086:7020] (rev 01) (prog-if 00 [UHCI])
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin D routed to IRQ 11
Region 4: I/O ports at c020 [size=32]
Kernel driver in use: uhci_hcd
Kernel modules: uhci-hcd
00:01.3 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 03)
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 9
Kernel driver in use: piix4_smbus
Kernel modules: i2c-piix4
00:02.0 VGA compatible controller [0300]: Cirrus Logic GD 5446 [1013:00b8] (prog-if 00 [VGA controller])
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Region 0: Memory at f0000000 (32-bit, prefetchable) [size=32M]
Region 1: Memory at f2000000 (32-bit, non-prefetchable) [size=4K]
Expansion ROM at f2010000 [disabled] [size=64K]
Kernel modules: cirrusfb
00:03.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ [10ec:8139] (rev 20)
Subsystem: Qumranet, Inc. Device [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 10
Region 0: I/O ports at c100 [size=256]
Region 1: Memory at f2020000 (32-bit, non-prefetchable) [size=256]
Expansion ROM at f2030000 [disabled] [size=64K]
Kernel driver in use: 8139cp
Kernel modules: 8139cp, 8139too
** Sound cards:
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages linux-image-2.6.26-2-686 depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii initramfs-tools [linux-initra 0.92o tools for generating an initramfs
ii module-init-tools 3.4-1 tools for managing Linux kernel mo
Versions of packages linux-image-2.6.26-2-686 recommends:
ii libc6-i686 2.7-18lenny4 GNU C Library: Shared libraries [i
Versions of packages linux-image-2.6.26-2-686 suggests:
ii grub 0.97-47lenny2 GRand Unified Bootloader (Legacy v
pn linux-doc-2.6.26 <none> (no description available)
Versions of packages linux-image-2.6.26-2-686 is related to:
pn firmware-bnx2 <none> (no description available)
pn firmware-bnx2x <none> (no description available)
pn firmware-ipw2x00 <none> (no description available)
pn firmware-ivtv <none> (no description available)
pn firmware-iwlwifi <none> (no description available)
pn firmware-linux <none> (no description available)
pn firmware-linux-nonfree <none> (no description available)
pn firmware-qlogic <none> (no description available)
pn firmware-ralink <none> (no description available)
-- debconf information:
linux-image-2.6.26-2-686/postinst/bootloader-error-2.6.26-2-686:
shared/kernel-image/really-run-bootloader: true
linux-image-2.6.26-2-686/postinst/old-dir-initrd-link-2.6.26-2-686: true
linux-image-2.6.26-2-686/preinst/overwriting-modules-2.6.26-2-686: true
linux-image-2.6.26-2-686/postinst/bootloader-test-error-2.6.26-2-686:
linux-image-2.6.26-2-686/postinst/depmod-error-2.6.26-2-686: false
linux-image-2.6.26-2-686/preinst/bootloader-initrd-2.6.26-2-686: true
linux-image-2.6.26-2-686/preinst/abort-overwrite-2.6.26-2-686:
linux-image-2.6.26-2-686/preinst/abort-install-2.6.26-2-686:
linux-image-2.6.26-2-686/postinst/depmod-error-initrd-2.6.26-2-686: false
linux-image-2.6.26-2-686/postinst/create-kimage-link-2.6.26-2-686: true
linux-image-2.6.26-2-686/preinst/failed-to-move-modules-2.6.26-2-686:
linux-image-2.6.26-2-686/preinst/initrd-2.6.26-2-686:
linux-image-2.6.26-2-686/preinst/lilo-has-ramdisk:
linux-image-2.6.26-2-686/prerm/would-invalidate-boot-loader-2.6.26-2-686: true
linux-image-2.6.26-2-686/postinst/kimage-is-a-directory:
linux-image-2.6.26-2-686/postinst/old-initrd-link-2.6.26-2-686: true
linux-image-2.6.26-2-686/preinst/elilo-initrd-2.6.26-2-686: true
linux-image-2.6.26-2-686/preinst/lilo-initrd-2.6.26-2-686: true
linux-image-2.6.26-2-686/prerm/removing-running-kernel-2.6.26-2-686: true
linux-image-2.6.26-2-686/postinst/old-system-map-link-2.6.26-2-686: true
Reply to: