Is there an API to remove ALSR in Cygwin 3.4.0?

Is there an API to remove ALSR in Cygwin 3.4.0?

[Christian Jullien]

[-- Attachment #1: Type: text/plain, Size: 3262 bytes --]

Hello Cygwin team,

 

First, I would like to thank you for your efforts on Cygwin all of these
years.

 

I'm asking if there will be an API to remove ASLR with an API as on Linux:

 

#if defined(__linux__)

        /*

         * ADDR_NO_RANDOMIZE exists since Linux 2.6.12

         * With this flag set, disable address-space-layout randomization.

         *

         * Not tested but gcc could remove ALSR with the following flags:

         * gcc -fno-stack-protector -z execstack -no-pie ...

         */

        const int oldpersonality = personality(ADDR_NO_RANDOMIZE);

 

        /*

         * It's important to use non-zero-ness of & ADDR_NO_RANDOMIZE

         * and not equality tests other we may go to infinite loop

         * with execv.

         */

        if (!(oldpersonality & ADDR_NO_RANDOMIZE)) {

                /*

                 * ASLR has been asked by first personality call but an
error

                 * may have been returned. Call personality a second time

                 * to verify it has really been removed.

                 */

                const int newpersonality = personality(ADDR_NO_RANDOMIZE);

 

                if (newpersonality & ADDR_NO_RANDOMIZE) {

                        execv(argv[0], argv);

                }

        }

#endif

 

Or as on macOS:

 

        if (spawned == 0) {

                short ps_flags = 0;

                pid_t pid;

                posix_spawn_file_actions_t actions;

                posix_spawnattr_t attrs;

 

                cargv[cargc++] = (char *)"--noaslr";

               cargv[cargc]   = NULL;

 

                (void)posix_spawn_file_actions_init(&actions);

                (void)posix_spawnattr_init(&attrs);

 

                ps_flags |= POSIX_SPAWN_SETEXEC;

                ps_flags |= _POSIX_SPAWN_DISABLE_ASLR;

                ret = posix_spawnattr_setflags(&attrs, ps_flags);

 

                if (ret != 0) {

                        (void)fprintf(stderr,

                                      "%s: cannot set posix_spawn flags.\n",

                                      argv[0]);

                        free(cargv);

                        return ret;

                }

 

                (void)posix_spawnp(&pid,

                                   cargv[0],

                                   &actions,

                                   &attrs,

                                   cargv,

                                   envp);

                /*

                 * returns only if posix_spawnp fails.

                 */

                (void)posix_spawnattr_destroy(&attrs);

        }

 

Allowing to remove ALSR with an API, allows an application to decide what to
do (from command line for example: ./myapp --no-alsr --save-core
saved-image.cor; ./myapp --no-alsr --use-core saved-image.cor)

 

My preference goes to personality support the way it is done on Linux. If a
gcc flag already exists, it will force a mode instead of leaving this option
to end user.

 

My Lisp (OpenLisp) has an optional feature name 'execore' which combines
lisp binary and a saved image into a single executable which fails to run of
course if ALSR is on.

 

For me, it's a wish not a strong request.

 

Christian

 

Re: Is there an API to remove ALSR in Cygwin 3.4.0?

[Corinna Vinschen]

On Nov 12 12:28, Christian Jullien wrote:
> Hello Cygwin team,
> 
>  
> 
> First, I would like to thank you for your efforts on Cygwin all of these
> years.
> 
>  
> 
> I'm asking if there will be an API to remove ASLR with an API as on Linux:

Please note that, for the time being, ASLR will only be enabled on the
Cygwin DLL itself.  All other DLLs as well as the Cygwin executables are
still non-ASLRed.  We're looking into introducing ASLR step by step.

Right now the Cygwin toolchain creates non-ASLRed EXEs and DLLs by
default.  This is supposed to change in a while.  Also, we might change
the auto-rebase mechanism (basically the script running as post-install
script when setup-x86_64 finishes up) to enable ASLR on DLLs.  EXEs are
not so important from my POV, but as soon as we tweaked the toolchain,
more and more EXEs will be ASLRed automagically as well.

One thing we can only use partially, because it's bound to break
Cygwin's fork and exec, is High Entropy ASLR.  Naturally, this would
only work for executables which never fork or exec other processes.

Having said that, there's no API for this yet in Cygwin.  There is an
API in Windows to control (among others) the ASLR setting of a process
at creation time, see
https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute
settings called

  PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON
  PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF

and

  PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
  PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_OFF

However, we don't have an API for that, yet. We could add it to Cygwin
at one point.  I'd prefer the Linux-personality call, too, but funny
enough, ADDR_NO_RANDOMIZE would be the only flag we could support.

What we *do* have already is the peflags tool from the rebase package:

  $ peflags -d0 -e0 foo.exe

This example would disable ASLR on the foo.exe executable.  Maybe that's
a workaround for the time being.


Corinna