On 11/02/24 18:29, John Paul Adrian Glaubitz wrote: > On Sun, 2024-02-11 at 14:05 +0100, Michael Karcher wrote: >> That reproducer did not work reliably under all circumstances, because >> the stack limit was guessed to be 8K to 12K from the current stack >> pointer, which is not always correct. The size of the stack at the start >> of main depends on the size of the environment. Please find attached a >> more robust reproducer. > I can also reproduce it on kernel 3.2.0 with glibc 2.13 on both 32-bit and > 64-bit SPARC: > > root@debian:~# gcc -m64 more_clone_attack.c -o more_clone_attack > root@debian:~# file more_clone_attack > more_clone_attack: ELF 64-bit MSB executable, SPARC V9, relaxed memory ordering, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, > BuildID[sha1]=0xb85b22284c93e15dc5ce002c332748d831b50b33, not stripped > root@debian:~# ./more_clone_attack > effective FP in clone() with waste 0 = 7feff9d1800 > this is 768 64-bit words above the next page boundary > clone: Bad address > Problem detected at 0 pages distance > root@debian:~# uname -a > Linux debian 3.2.0-4-sparc64 #1 Debian 3.2.78-1 sparc64 GNU/Linux > root@debian:~# dpkg -l libc6 > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > +++-==============-============-============-================================= > ii libc6:sparc 2.13-38+deb7 sparc Embedded GNU C Library: Shared li > root@debian:~# > > root@debian:~# gcc more_clone_attack.c -o more_clone_attack > root@debian:~# > root@debian:~# ./more_clone_attack > effective FP in clone() with waste 0 = ff991c4000010e57 > this is 458 64-bit words above the next page boundary > clone: Bad address > Problem detected at 2 pages distance > root@debian:~# uname -a > Linux debian 3.2.0-4-sparc64 #1 Debian 3.2.78-1 sparc64 GNU/Linux > root@debian:~# dpkg -l libc6 > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > +++-==============-============-============-================================= > ii libc6:sparc 2.13-38+deb7 sparc Embedded GNU C Library: Shared li > root@debian:~# > > Adrian > It fails on the two different sparc64 machines I usually use for glibc testing as well: azanella@catbus ~ $ /lib64/libc.so.6 | head -n 1 GNU C Library (Gentoo 2.38-r9 (patchset 9)) stable release version 2.38. azanella@catbus ~ $ uname -a Linux catbus.sparc.dev.gentoo.org 6.1.72 #1 SMP Fri Jan 12 15:00:51 PST 2024 sparc64 sun4v UltraSparc T5 (Niagara5) GNU/Linux azanella@catbus ~ $ ./more_clone_attack effective FP in clone() with waste 0 = 7feffee09f0 this is 318 64-bit words above the next page boundary clone: Bad address Problem detected at 1 pages distance azanella@ravirin:~$ /lib/sparc64-linux-gnu/libc.so.6 | head -n 1 GNU C Library (Debian GLIBC 2.37-15) stable release version 2.37. azanella@ravirin:~$ uname -a Linux ravirin 4.19.0-5-sparc64 #1 Debian 4.19.37-6 (2019-07-18) sparc64 GNU/Linux azanella@ravirin:~$ ./more_clone_attack effective FP in clone() with waste 0 = 7feffa3ae50 this is 458 64-bit words above the next page boundary clone: Bad address Problem detected at 1 pages distance And I see similar failures on qemu as well.
