Cutting this down a bit
>> Do the common MIPS CPUs support non executable stacks at all? ? >> cpu_has_rixi is set to 0 for the ath79 SoCs for example, for lantiq some Should this show up in /proc/cpuinfo? Or where? >> automatic detection is done, but I haven't checked the result. > ramips has RIXI enabled by default. This is the result for procd: >> @Dave: From which device did you get the map and which kernel is used there? I wanted to note that the exploit of vfpu hard codes a mips little endian return statement, haven't got around to fiddling with big-endian. Since everybody is looking at procd, here's a look at 3 platforms. * The first map I think I got was from Reboot (17.01.4, r3560-79f57e422d), or perhaps it was from the edgerouter X, which I talk to further down in this message To clarify: On a: root@lupin-jeff:/proc/1# cat /proc/cpuinfo system type : Qualcomm Atheros QCA956X ver 1 rev 0 machine : Ubiquiti UniFi-AC-LITE processor : 0 cpu model : MIPS 74Kc V5.0 BogoMIPS : 385.84 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 dsp dsp2 shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available we get root@lupin-jeff:/proc/1# cat maps 00400000-0040b000 r-xp 00000000 1f:04 999 /sbin/procd 0041a000-0041b000 r--p 0000a000 1f:04 999 /sbin/procd 0041b000-0041c000 rw-p 0000b000 1f:04 999 /sbin/procd 0041c000-0041e000 rwxp 00000000 00:00 0 00815000-0083c000 rwxp 00000000 00:00 0 [heap] 77d32000-77d54000 r-xp 00000000 1f:04 611 /lib/libgcc_s.so.1 77d54000-77d55000 rw-p 00012000 1f:04 611 /lib/libgcc_s.so.1 77d56000-77d67000 r-xp 00000000 1f:04 633 /lib/libjson_script.so 77d67000-77d68000 r--p 00001000 1f:04 633 /lib/libjson_script.so 77d68000-77d69000 rw-p 00002000 1f:04 633 /lib/libjson_script.so 77d6a000-77d7b000 r-xp 00000000 1f:04 655 /lib/libblobmsg_json.so 77d7b000-77d7c000 r--p 00001000 1f:04 655 /lib/libblobmsg_json.so 77d7c000-77d7d000 rw-p 00002000 1f:04 655 /lib/libblobmsg_json.so 77d7e000-77d94000 r-xp 00000000 1f:04 300 /usr/lib/libjson-c.so.2.0.2 77d94000-77d95000 r--p 00006000 1f:04 300 /usr/lib/libjson-c.so.2.0.2 77d95000-77d96000 rw-p 00007000 1f:04 300 /usr/lib/libjson-c.so.2.0.2 77d96000-77da9000 r-xp 00000000 1f:04 658 /lib/libubus.so 77da9000-77daa000 r--p 00003000 1f:04 658 /lib/libubus.so 77daa000-77dab000 rw-p 00004000 1f:04 658 /lib/libubus.so 77dac000-77dc3000 r-xp 00000000 1f:04 614 /lib/libubox.so 77dc3000-77dc4000 r--p 00007000 1f:04 614 /lib/libubox.so 77dc4000-77dc5000 rw-p 00008000 1f:04 614 /lib/libubox.so 77dc6000-77e58000 r-xp 00000000 1f:04 653 /lib/libc.so 77e65000-77e66000 r--p 00000000 00:00 0 [vvar] 77e66000-77e67000 r-xp 00000000 00:00 0 [vdso] 77e67000-77e69000 rw-p 00091000 1f:04 653 /lib/libc.so 77e69000-77e6b000 rwxp 00000000 00:00 0 7ff12000-7ff33000 rw-p 00000000 00:00 0 [stack] However a specific check for ALSR - watching the dynamic relos go for "cat", at least, everything except the first two (which is normal), are being relocated, and there appears to be no vfpu map here. root@lupin-jeff:/proc/1# cat /proc/self/maps 00400000-0044b000 r-xp 00000000 1f:04 879 /bin/busybox 0045b000-0045c000 rw-p 0004b000 1f:04 879 /bin/busybox 7742a000-7744c000 r-xp 00000000 1f:04 611 /lib/libgcc_s.so.1 7744c000-7744d000 rw-p 00012000 1f:04 611 /lib/libgcc_s.so.1 7744e000-774e0000 r-xp 00000000 1f:04 653 /lib/libc.so 774ed000-774ee000 r--p 00000000 00:00 0 [vvar] 774ee000-774ef000 r-xp 00000000 00:00 0 [vdso] 774ef000-774f1000 rw-p 00091000 1f:04 653 /lib/libc.so 774f1000-774f3000 rwxp 00000000 00:00 0 # this DOES relocate 7f9ef000-7fa10000 rw-p 00000000 00:00 0 [stack] So I think this processor + build are doing the "right thing". * However, this a wndr3800 with OpenWrt 18.06.1, r7258-5eb055306f system type : Atheros AR7161 rev 2 machine : NETGEAR WNDR3700/WNDR3800/WNDRMAC processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 452.19 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available root@couch:/proc/1# cat maps 00400000-0040b000 r-xp 00000000 1f:04 1027 /sbin/procd 0041a000-0041b000 r-xp 0000a000 1f:04 1027 /sbin/procd 0041b000-0041c000 rwxp 0000b000 1f:04 1027 /sbin/procd 0041c000-0041e000 rwxp 00000000 00:00 0 006f0000-00717000 rwxp 00000000 00:00 0 [heap] 77b20000-77b43000 r-xp 00000000 1f:04 1068 /lib/libgcc_s.so.1 77b43000-77b44000 rwxp 00013000 1f:04 1068 /lib/libgcc_s.so.1 77b44000-77b56000 r-xp 00000000 1f:04 1173 /lib/libjson_script.so 77b56000-77b57000 r-xp 00002000 1f:04 1173 /lib/libjson_script.so 77b57000-77b58000 rwxp 00003000 1f:04 1173 /lib/libjson_script.so 77b58000-77b69000 r-xp 00000000 1f:04 1043 /lib/libblobmsg_json.so 77b69000-77b6a000 r-xp 00001000 1f:04 1043 /lib/libblobmsg_json.so 77b6a000-77b6b000 rwxp 00002000 1f:04 1043 /lib/libblobmsg_json.so 77b6c000-77b82000 r-xp 00000000 1f:04 368 /usr/lib/libjson-c.so.2.0.2 77b82000-77b83000 r-xp 00006000 1f:04 368 /usr/lib/libjson-c.so.2.0.2 77b83000-77b84000 rwxp 00007000 1f:04 368 /usr/lib/libjson-c.so.2.0.2 77b84000-77b97000 r-xp 00000000 1f:04 1171 /lib/libubus.so 77b97000-77b98000 r-xp 00003000 1f:04 1171 /lib/libubus.so 77b98000-77b99000 rwxp 00004000 1f:04 1171 /lib/libubus.so 77b9a000-77bb1000 r-xp 00000000 1f:04 1063 /lib/libubox.so 77bb1000-77bb2000 r-xp 00007000 1f:04 1063 /lib/libubox.so 77bb2000-77bb3000 rwxp 00008000 1f:04 1063 /lib/libubox.so 77bb4000-77c46000 r-xp 00000000 1f:04 1044 /lib/libc.so 77c53000-77c54000 r--p 00000000 00:00 0 [vvar] 77c54000-77c55000 r-xp 00000000 00:00 0 [vdso] 77c55000-77c57000 rwxp 00091000 1f:04 1044 /lib/libc.so 77c57000-77c59000 rwxp 00000000 00:00 0 7f82c000-7f84d000 rw-p 00000000 00:00 0 [stack] 7ffff000-80000000 rwxp 00000000 00:00 0 # yep, fixed spot for math root@couch:/proc/1# cat /proc/self/maps 00400000-0044c000 r-xp 00000000 1f:04 922 /bin/busybox 0045b000-0045c000 r-xp 0004b000 1f:04 922 /bin/busybox 0045c000-0045d000 rwxp 0004c000 1f:04 922 /bin/busybox 7769e000-776c1000 r-xp 00000000 1f:04 1068 /lib/libgcc_s.so.1 776c1000-776c2000 rwxp 00013000 1f:04 1068 /lib/libgcc_s.so.1 776c2000-77754000 r-xp 00000000 1f:04 1044 /lib/libc.so 77761000-77762000 r--p 00000000 00:00 0 [vvar] 77762000-77763000 r-xp 00000000 00:00 0 [vdso] 77763000-77765000 rwxp 00091000 1f:04 1044 /lib/libc.so 77765000-77767000 rwxp 00000000 00:00 0 7fc82000-7fca3000 rw-p 00000000 00:00 0 [stack] 7ffff000-80000000 rwxp 00000000 00:00 0 # everything relocates properly except this * Just to add to the fun, here's that same generation wndr3800 from, I hope, the last cerowrt (wndr3800) box in the world. BARRIER BREAKER (3.10.50-1, r41861) root@lounge:/proc/1# cat maps 00400000-0040a000 r-xp 00000000 1f:04 481 /sbin/procd 00419000-0041a000 rw-p 00009000 1f:04 481 /sbin/procd 0041a000-0041c000 rwxp 00000000 00:00 0 005e1000-005fe000 rwxp 00000000 00:00 0 [heap] 7767e000-776d5000 r-xp 00000000 1f:04 238 /lib/libuClibc-0.9.33.2.so 776d5000-776e4000 ---p 00000000 00:00 0 776e4000-776e5000 r--p 00056000 1f:04 238 /lib/libuClibc-0.9.33.2.so 776e5000-776e6000 rw-p 00057000 1f:04 238 /lib/libuClibc-0.9.33.2.so 776e6000-776eb000 rw-p 00000000 00:00 0 776eb000-776ff000 r-xp 00000000 1f:04 178 /lib/libgcc_s.so.1 776ff000-7770e000 ---p 00000000 00:00 0 7770e000-7770f000 rw-p 00013000 1f:04 178 /lib/libgcc_s.so.1 7770f000-77711000 r-xp 00000000 1f:04 175 /lib/libjson_script.so 77711000-77721000 ---p 00000000 00:00 0 77721000-77722000 rw-p 00002000 1f:04 175 /lib/libjson_script.so 77722000-77724000 r-xp 00000000 1f:04 196 /lib/libblobmsg_json.so 77724000-77733000 ---p 00000000 00:00 0 77733000-77734000 rw-p 00001000 1f:04 196 /lib/libblobmsg_json.so 77734000-7773a000 r-xp 00000000 1f:04 1394 /usr/lib/libjson-c.so.2.0.1 7773a000-77749000 ---p 00000000 00:00 0 77749000-7774a000 rw-p 00005000 1f:04 1394 /usr/lib/libjson-c.so.2.0.1 7774a000-7774e000 r-xp 00000000 1f:04 157 /lib/libubus.so 7774e000-7775d000 ---p 00000000 00:00 0 7775d000-7775e000 rw-p 00003000 1f:04 157 /lib/libubus.so 7775e000-77764000 r-xp 00000000 1f:04 195 /lib/libubox.so 77764000-77773000 ---p 00000000 00:00 0 77773000-77774000 rw-p 00005000 1f:04 195 /lib/libubox.so 77774000-7777b000 r-xp 00000000 1f:04 155 /lib/ld-uClibc-0.9.33.2.so 77789000-7778a000 rw-p 00000000 00:00 0 7778a000-7778b000 r--p 00006000 1f:04 155 /lib/ld-uClibc-0.9.33.2.so 7778b000-7778c000 rw-p 00007000 1f:04 155 /lib/ld-uClibc-0.9.33.2.so 7778c000-7778d000 rw-p 00000000 00:00 0 7fd63000-7fd84000 rwxp 00000000 00:00 0 [stack] 7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso] * Lastly, this is an edgerouter X, the only little endian mips box I have, running OpenWrt 18.06.1, r7258-5eb055306f In this case its linkage for procd includes the 7ffff000-80000000 rwxp 00000000 00:00 0 I have confirmed you can scribble on and execute code from the vfpu area on this chip with a mildly updated bit of mudge & co's code. I'm still scratching my head as to what you could do with this capability. root@edgerouterx:/tmp# cat /proc/cpuinfo system type : MediaTek MT7621 ver:1 eco:3 machine : UBNT-ERX processor : 0 cpu model : MIPS 1004Kc V2.15 BogoMIPS : 584.90 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 dsp mt shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VPE : 0 VCED exceptions : not available VCEI exceptions : not available ... the other 3 processors elided... root@edgerouterx:/tmp# cat /proc/1/maps 00400000-0040b000 r-xp 00000000 fe:00 976 /sbin/procd 0041a000-0041b000 r-xp 0000a000 fe:00 976 /sbin/procd 0041b000-0041c000 rwxp 0000b000 fe:00 976 /sbin/procd 0041c000-0041e000 rwxp 00000000 00:00 0 005a6000-005ce000 rwxp 00000000 00:00 0 [heap] 77ddf000-77e02000 r-xp 00000000 fe:00 1014 /lib/libgcc_s.so.1 77e02000-77e03000 rwxp 00013000 fe:00 1014 /lib/libgcc_s.so.1 77e03000-77e15000 r-xp 00000000 fe:00 1101 /lib/libjson_script.so 77e15000-77e16000 r-xp 00002000 fe:00 1101 /lib/libjson_script.so 77e16000-77e17000 rwxp 00003000 fe:00 1101 /lib/libjson_script.so 77e17000-77e28000 r-xp 00000000 fe:00 992 /lib/libblobmsg_json.so 77e28000-77e29000 r-xp 00001000 fe:00 992 /lib/libblobmsg_json.so 77e29000-77e2a000 rwxp 00002000 fe:00 992 /lib/libblobmsg_json.so 77e2a000-77e40000 r-xp 00000000 fe:00 358 /usr/lib/libjson-c.so.2.0.2 77e40000-77e41000 r-xp 00006000 fe:00 358 /usr/lib/libjson-c.so.2.0.2 77e41000-77e42000 rwxp 00007000 fe:00 358 /usr/lib/libjson-c.so.2.0.2 77e42000-77e56000 r-xp 00000000 fe:00 1100 /lib/libubus.so 77e56000-77e57000 r-xp 00004000 fe:00 1100 /lib/libubus.so 77e57000-77e58000 rwxp 00005000 fe:00 1100 /lib/libubus.so 77e58000-77e6f000 r-xp 00000000 fe:00 1010 /lib/libubox.so 77e6f000-77e70000 r-xp 00007000 fe:00 1010 /lib/libubox.so 77e70000-77e71000 rwxp 00008000 fe:00 1010 /lib/libubox.so 77e71000-77f03000 r-xp 00000000 fe:00 993 /lib/libc.so 77f0f000-77f11000 r--p 00000000 00:00 0 [vvar] 77f11000-77f12000 r-xp 00000000 00:00 0 [vdso] 77f12000-77f14000 rwxp 00091000 fe:00 993 /lib/libc.so 77f14000-77f16000 rwxp 00000000 00:00 0 7fef7000-7ff18000 rw-p 00000000 00:00 0 [stack] 7ffff000-80000000 rwxp 00000000 00:00 0 >> Hauke >> _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
