Re: Differences between zelenka and zandonai

To: debian-s390@lists.debian.org
Subject: Re: Differences between zelenka and zandonai
From: Mike Hommey <mh@glandium.org>
Date: Sun, 31 Oct 2010 10:51:36 +0100
Message-id: <[🔎] 20101031095136.GA6419@glandium.org>
In-reply-to: <[🔎] 20101031093806.GA6499@thrall.0x539.de>
References: <[🔎] 20101031075410.GA4126@glandium.org> <[🔎] 20101031093806.GA6499@thrall.0x539.de>

On Sun, Oct 31, 2010 at 10:38:06AM +0100, Philipp Kern wrote:
> Mike,
> 
> am Sun, Oct 31, 2010 at 08:54:10AM +0100 hast du folgendes geschrieben:
> > Firefox uses a technique they call "frame poisoning" to mitigate
> > dangling pointer bugs. It reserves a poison area at a fixed location
> > in the address space (and tries other places if that can't be done)
> > and makes dangling pointers point there so that the application ends
> > up crashing instead of being exploitable.
> > 
> > There is validation test in their test suite that verifies if that
> > technique works properly. While upstream version doesn't support s390,
> > adding support for it is pretty straightforward. The only problem I have
> > now is that while this works properly on zelenka, it doesn't work on
> > zandonai during the test suite run part of the build.
> > 
> > Is there a difference in the kernel or hardware that would explain this
> > behaviour?
> 
> they are hosted on the same physical box, so there's no difference in hardware
> at all.  However, zandonai runs a backports kernel (2.6.32-bpo.5-s390x), and
> zelenka runs a release kernel (2.6.26-2-s390x).  I don't know why that is.
> 
> > I'm attaching the test program in question. It can be simply built with
> > g++ -o TestPoisonArea TestPoisonArea.cpp
> 
> Simly compiling and running it does seem to work, however.
> 
> (sid-s390-sbuild)buildd@zandonai:/build$ g++ -o TestPoisonArea TestPoisonArea.cpp
> (sid-s390-sbuild)buildd@zandonai:/build$ ./TestPoisonArea
> INFO | negative control allocated at 0x77fd9000
> INFO | positive control allocated at 0x77cac000
> INFO | poison area assumed at 0xf0dea000 (preferred addr)
> TEST-PASS | reading negative control
> TEST-PASS | executing negative control
> TEST-PASS | writing negative control
> TEST-PASS | reading positive control | Segmentation fault
> TEST-PASS | executing positive control | Segmentation fault
> TEST-PASS | writing positive control | Segmentation fault
> TEST-PASS | reading poison area | Segmentation fault
> TEST-PASS | executing poison area | Segmentation fault
> TEST-PASS | writing poison area | Segmentation fault

During the build, this is what happens:
INFO | negative control allocated at 0x40028000
INFO | positive control allocated at 0x4002a000
INFO | poison area assumed at 0xf0dea000 (preferred addr)
TEST-PASS | reading negative control
TEST-PASS | executing negative control
TEST-PASS | writing negative control
TEST-PASS | reading positive control | Segmentation fault
TEST-PASS | executing positive control | Segmentation fault
TEST-PASS | writing positive control | Segmentation fault
TEST-UNEXPECTED-FAIL | reading poison area
TEST-PASS | executing poison area | Illegal instruction
TEST-UNEXPECTED-FAIL | writing poison area

It's interesting to see the addresses used for negative and positive
control are significantly different, while running the program on
zelenka and zandonai by hand give an address in 0x77xxxxxx.

Could that be related to personality ?

Mike

Reply to:

Follow-Ups:
- Re: Differences between zelenka and zandonai
  - From: Philipp Kern <pkern@debian.org>

References:
- Differences between zelenka and zandonai
  - From: Mike Hommey <mh@glandium.org>
- Re: Differences between zelenka and zandonai
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Differences between zelenka and zandonai
Next by Date: Re: Differences between zelenka and zandonai
Previous by thread: Re: Differences between zelenka and zandonai
Next by thread: Re: Differences between zelenka and zandonai
Index(es):
- Date
- Thread