4,436
社区成员
发帖
与我相关
我的任务
分享开启内核栈保护选项CONFIG_CC_STACKPROTECTOR_STRONG,编译内核模块时不生效
各位大侠帮忙看下为什没有插入栈保护指令,谢谢! 具体操作如下:
在ubuntu16.04(gcc-5.3.1, linux-4.4.0 )下,默认开启CONFIG_CC_STACKPROTECTOR_STRONG。
编译内核模块,Makefile和源文件stack.c如下:
Makefile:
obj-m = stack.o
KERNELDIR=/usr/src/kernels/4.4.0-21-generic/build
all:
make -C $(KERNELDIR) M=$(shell pwd) modules
clean:
make -C $(KERNELDIR) M=$(shell pwd) clean
stack.c:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/string.h>
static int func(void)
{
char buf[8];
memset(buf, 0, 64);
return 0;
}
static int __init stack_init(void)
{
printk("stack init .......\n");
func();
return 0;
}
static void __exit stack_exit(void)
{
printk("stack exit ......\n");
return;
}
module_init(stack_init);
module_exit(stack_exit);
MODULE_LICENSE("GPL");
将编译出来的stack.ko进行反汇编,发现没有添加插入栈保护指令(canary):
#objdump -d stack.ko
stack.ko: file format elf64-x86-64
Disassembly of section .init.text:
0000000000000000 <init_module>:
0: 55 push %rbp
1: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
8: 48 89 e5 mov %rsp,%rbp
b: e8 00 00 00 00 callq 10 <init_module+0x10>
10: 31 c0 xor %eax,%eax
12: 5d pop %rbp
13: c3 retq
Disassembly of section .exit.text:
0000000000000000 <cleanup_module>:
0: 55 push %rbp
1: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
8: 48 89 e5 mov %rsp,%rbp
b: e8 00 00 00 00 callq 10 <cleanup_module+0x10>
10: 5d pop %rbp
11: c3 retq
#objdump -r stack.ko
stack.ko: file format elf64-x86-64
RELOCATION RECORDS FOR [.init.text]:
OFFSET TYPE VALUE
0000000000000004 R_X86_64_32S .rodata.str1.1
000000000000000c R_X86_64_PC32 printk-0x0000000000000004
RELOCATION RECORDS FOR [.exit.text]:
OFFSET TYPE VALUE
0000000000000004 R_X86_64_32S .rodata.str1.1+0x0000000000000014
000000000000000c R_X86_64_PC32 printk-0x0000000000000004
RELOCATION RECORDS FOR [.gnu.linkonce.this_module]:
OFFSET TYPE VALUE
0000000000000180 R_X86_64_64 init_module
0000000000000338 R_X86_64_64 cleanup_module
在ubuntu16.04(gcc-5.3.1, linux-4.4.0 )下,默认开启CONFIG_CC_STACKPROTECTOR_STRONG。
编译内核模块,Makefile和源文件stack.c如下:
Makefile:
obj-m = stack.o
KERNELDIR=/usr/src/kernels/4.4.0-21-generic/build
all:
make -C $(KERNELDIR) M=$(shell pwd) modules
clean:
make -C $(KERNELDIR) M=$(shell pwd) clean
stack.c:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/string.h>
static int func(void)
{
char buf[8];
memset(buf, 0, 64);
return 0;
}
static int __init stack_init(void)
{
printk("stack init .......\n");
func();
return 0;
}
static void __exit stack_exit(void)
{
printk("stack exit ......\n");
return;
}
module_init(stack_init);
module_exit(stack_exit);
MODULE_LICENSE("GPL");
将编译出来的stack.ko进行反汇编,发现没有添加插入栈保护指令(canary):
#objdump -d stack.ko
stack.ko: file format elf64-x86-64
Disassembly of section .init.text:
0000000000000000 <init_module>:
0: 55 push %rbp
1: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
8: 48 89 e5 mov %rsp,%rbp
b: e8 00 00 00 00 callq 10 <init_module+0x10>
10: 31 c0 xor %eax,%eax
12: 5d pop %rbp
13: c3 retq
Disassembly of section .exit.text:
0000000000000000 <cleanup_module>:
0: 55 push %rbp
1: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
8: 48 89 e5 mov %rsp,%rbp
b: e8 00 00 00 00 callq 10 <cleanup_module+0x10>
10: 5d pop %rbp
11: c3 retq
#objdump -r stack.ko
stack.ko: file format elf64-x86-64
RELOCATION RECORDS FOR [.init.text]:
OFFSET TYPE VALUE
0000000000000004 R_X86_64_32S .rodata.str1.1
000000000000000c R_X86_64_PC32 printk-0x0000000000000004
RELOCATION RECORDS FOR [.exit.text]:
OFFSET TYPE VALUE
0000000000000004 R_X86_64_32S .rodata.str1.1+0x0000000000000014
000000000000000c R_X86_64_PC32 printk-0x0000000000000004
RELOCATION RECORDS FOR [.gnu.linkonce.this_module]:
OFFSET TYPE VALUE
0000000000000180 R_X86_64_64 init_module
0000000000000338 R_X86_64_64 cleanup_module
...全文
请发表友善的回复…
发表回复
nswcfd 2016-11-25
- 打赏
- 举报
楼主的例子里可能8不够大。
nswcfd 2016-11-25
- 打赏
- 举报
启用的标识是编译的时候有-fstack-protector,可以编译的时候make V=1确认一下。
但-fstack-protector不是100%会生成carnary,好像有条件的,至少栈上得有个比较大的数组。
不太确定,楼主再研究一下吧。可以查一下gcc的官方文档。
xiaotay 2016-11-23
- 打赏
- 举报
参考这篇文章:https://my.oschina.net/macwe/blog/610357
至少反汇编之后应该可以看到下面类似的信息 ,比如: __stack_chk_fail , mov %gs:0x28,%rax
[root@localhost stackpk]# objdump -r test.ko
RELOCATION RECORDS FOR [.text]:
OFFSET TYPE VALUE
0000000000000061 R_X86_64_PC32 __stack_chk_fail-0x0000000000000004
......
[root@localhost stackpk]# objdump -d test.ko
0000000000000000 <foo>:
......
# 函数开头,往栈里插入canary
24: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
2d: 48 89 45 f8 mov %rax,-0x8(%rbp)
......
# 函数返回,检查canary
4a: 48 8b 45 f8 mov -0x8(%rbp),%rax
4e: 65 48 33 04 25 28 00 xor %gs:0x28,%rax
57: 75 02 jne 5b <foo+0x5b>
59: c9 leaveq
5a: c3 retq
5b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
60: e8 00 00 00 00 callq 65 <foo+0x65> # __stack_chk_fail
