Re: anti-ROP mechanism in libc

Tue, 26 Apr 2016 15:52:36 -0700 

26 Apr. 2016 19:58 "Theo de Raadt" <[email protected]> wrote:
>
> Here is a new version that does a more comprehensive test of the new
> libc.so before installing it, and uses install -S
>
> Index: etc/rc
> ===================================================================
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.474
> diff -u -p -u -r1.474 rc
> --- etc/rc      29 Dec 2015 19:41:24 -0000      1.474
> +++ etc/rc      26 Apr 2016 11:56:46 -0000
> @@ -158,6 +158,35 @@ make_keys() {
>         ssh-keygen -A
>  }
>
> +rebuildlibs() {
> +       local _l _liba _libas _tmpdir
> +
> +       # Only choose newest
> +       for _liba in /usr/lib/libc.so.*.a; do
> +               _liba=$(ls ${_liba%%.[0-9]*}*.a | sort -n | tail -1)
> +               for _l in $_libas; do
> +                       [[ $_l == $_liba ]] && continue 2
> +               done
> +               _libas="$_libas $_liba"
> +       done

I'm afraid sort -n would not behave the way you probably think:

$ (echo 10.2; echo 10.10; echo 10.50) | sort -n
10.10
10.2
10.50

Also, you code does something strange, because $_liba will be always the
same thing in the loop.

> +       for _liba in $_libas; do
> +               _tmpdir=$(mktemp -dq /tmp/_librebuild.XXXXXXXXXXXX) || return
> +               (
> +                       set -o errexit
> +                       _lib=${_liba#/usr/lib/}
> +                       _lib=${_lib%.a}
> +                       cd $_tmpdir
> +                       ar x ${_liba}
> +                       cc -shared -o $_lib $(ls *.so | sort -R) $(cat .ldadd)
> +                       [[ -s $_lib ]] && file $_lib | fgrep -q 'shared 
> object'
> +                       LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN 
> {exit 0}'
> +                       install -S -o root -g bin -m 0444 $_lib /usr/lib/$_lib
> +               )
> +               rm -rf /tmp/_librebuild.${_tmpdir#*.}
> +       done
> +}

So I propose something like that instead:

find_newest() {
        set -x
        local _l _ls _bestmaj _bestmin _maj _min

        for _l in /usr/lib/lib$1.so.+([0-9]).+([0-9]); do
                _ls=${_l%.*}
                _maj=${_ls##*.}
                _min=${_l##*.}
                if [ _maj -gt _bestmaj -o \
                     _maj -eq _bestmaj -a _min -gt _bestmin ]; then
                        _bestmaj=$_maj
                        _bestmin=$_min
                fi
        done
        if [ -n $_bestmaj ]; then
                echo $_bestmaj.$_bestmin
        else
                return 1
        fi
}

rebuildlibs() {
        local _lib _tmpdir _v

        _v=$(find_newest c) || return
        _lib=libc.so.$_v
        _tmpdir=$(mktemp -dq /tmp/_librebuild.XXXXXXXXXXXX) || return
        (
                set -o errexit
                cd $_tmpdir
                ar x ${_lib}.a
                cc -shared -o $_lib $(ls *.so | sort -R) $(cat .ldadd)
                [[ -s $_lib ]] && file $_lib | fgrep -q 'shared object'
                LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}'
                install -S -o root -g bin -m 0444 $_lib /usr/lib/$_lib
        )
}

--
WBR,
  Vadim Zhukov

Reply via email to