From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B2089385771E; Thu, 21 Sep 2023 12:35:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B2089385771E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1695299721; bh=YdMQX9gzXtLVaP1FMGtNhJiE6fpLJqskGP4Atx7JxzA=; h=From:To:Subject:Date:From; b=CUF2GujUR9Vc7gL6/sRhoWkYd2h21alWMGXi+UGvgwE+x6oApxdsIFIypF1Z3mycz Bf2Vx4Hlg6tkIfjfCdDGlGfUubYIqtAhqggyh49crPVbmWrLKCD9EWBkjZQgFd00NJ EDytNQqiXXzNNaM2aJNVq9pTxkur7qpetIAKxsYQ= From: "sattdeepan.d at samsung dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/111518] New: relro protection not working in riscv Date: Thu, 21 Sep 2023 12:35:20 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 13.1.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: sattdeepan.d at samsung dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D111518 Bug ID: 111518 Summary: relro protection not working in riscv Product: gcc Version: 13.1.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: sattdeepan.d at samsung dot com Target Milestone: --- -z,relro and/or -z,now flag not working on riscv arch. Address of printf overwritten to custom address passed as argument, but it expected to be readonly when full relro protection is enabled Test code to reproduce(test_relro.c): ----------------------------------------------- #include #include int main(int argc, int *argv[]) { size_t *p =3D (size_t *) strtol(argv[1], NULL, 16); p[0] =3D 0xdeadbeef; printf("RELRO: %p\n", p); return 0; } ----------------------------------------------- Steps to reproduce: 1. Turn off ASLR: echo 0 > /proc/sys/kernel/randomise_va_space 1. Compile with -z,relro,-z,now flag: gcc -g -Wl,-z,norelro -O0 -o test_partial test_relro.c 2. Check printf address in GOT: sattdeepan@sri-9052:~$ objdump -R test_partial | grep printf 0000000000012020 R_RISCV_JUMP_SLOT printf@GLIBC_2.27 3. Running with gdb: gdb -q test_partial 4. Get load address of printf function: -
+ 0x10586 - 0x10586 + 0x12020 =3D=3D> 0x12020 5. Pass load address of main as argument gdb-peda$ r 0x12020 Starting program: /home/user/test_full_riscv 0x12020 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/riscv64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. Warning: 'set logging off', an alias for the command 'set logging enabled',= is deprecated. Use 'set logging enabled off'. Warning: 'set logging on', an alias for the command 'set logging enabled', = is deprecated. Use 'set logging enabled on'. 0x00000000deadbeee in ?? () =3D=3D=3D=3D> address of printf overwritten to = custom address passed as argument, but it expected to be readonly gdb-peda$=