paxtest里面对于heap的测试结果:
Heap randomisation test (ET_EXEC) : 22 quality bits (guessed)
Heap randomisation test (PIE) : 35 quality bits (guessed)
-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
在load_elf_binary函数中,对于heap的随机化,有两个分支,一是对于可执行程序,二是对于动态共享的程序
loc->elf_ex.e_type != ET_DYN时,load_bias=0
loc->elf_ex.e_type == ET_DYN时, load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
1. load_bias=0 时
((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4)的随机bit分布
63 42 41 40| 39 32|31 26 |25 12 | 11 4 | 3 0
|---------------------|--------|-------------|----------|------------|----------------|---------|
| |
|-----------------------------------------------------------------------------------------------|
heap的随机bits是22bit, bit 4~25
elf_brk += load_bias;
.....
#ifdef CONFIG_PAX_RANDMMAP
if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
unsigned long start, size, flags, vm_flags;
start = ELF_PAGEALIGN(elf_brk);
size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);// size有22bit随机数,bit 4~25
flags = MAP_FIXED | MAP_PRIVATE;
vm_flags = VM_DONTEXPAND | VM_RESERVED;
down_write(¤t->mm->mmap_sem);
start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
retval = -ENOMEM;
if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
// if (current->personality & ADDR_NO_RANDOMIZE)
// vm_flags |= VM_READ | VM_MAYREAD;
start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0);
retval = IS_ERR_VALUE(start) ? start : 0;
}
up_write(¤t->mm->mmap_sem);
if (retval == 0)
retval = set_brk(start + size, start + size + PAGE_SIZE);
if (retval < 0) {
send_sig(SIGKILL, current, 0);
goto out_free_dentry;
}
}
#endif
2. load_bias != 0 时, 即如果是loc->elf_ex.e_type == ET_DYN
/* PAX_DELTA_MMAP_LEN=27, load_bias 的bit12~38为随机产生 */
load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
所以当loc->elf_ex.e_type == ET_DYN时, loadbias造成12~38bit随机,size造成4~25bit随机,综合起来,就是4~38bit随机,随机位数为35bits
下面是load_elf_binary函数关于loadbias的处理
} else if (loc->elf_ex.e_type == ET_DYN) {
/* Try and get dynamic programs out of the way of the
* default mmap base, as well as whatever program they
* might try to exec. This is because the brk will
* follow the loader, and is not movable. */
#if defined(CONFIG_X86) || defined(CONFIG_ARM)
/* Memory randomization might have been switched off
* in runtime via sysctl.
* If that is the case, retain the original non-zero
* load_bias value in order to establish proper
* non-randomized mappings.
*/
if (current->flags & PF_RANDOMIZE)
load_bias = 0;
else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
#ifdef CONFIG_PAX_RANDMMAP
/* PaX: randomize base address at the default exe base if requested */
if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
#ifdef CONFIG_SPARC64
load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
#else
/* PAX_DELTA_MMAP_LEN=27, load_bias 的bit12~38为随机产生 */
load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
#endif
load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
elf_flags |= MAP_FIXED;
}
#endif
}
-------------------
阅读(888) | 评论(0) | 转发(0) |
