What is the memory region ?

baisheng_wang baisheng_wang at 163.com
Fri Mar 8 03:59:37 EST 2013


Thanks, Prabhunath!

Great detail, very helpful!

Regards,
Jacky

在 2013-03-08 15:37:27,"Prabhu nath" <gprabhunath at gmail.com> 写道:







On Thu, Mar 7, 2013 at 7:38 PM, Jacky <jackyclivia at 163.com> wrote:


Thanks Prabhunath!

The following is section header table:
==============================
 readelf -S /bin/cat

There are 28 section headers, starting at offset 0xb260:

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        08048154 000154 000013 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            08048168 000168 000020 00   A  0   0  4
  [ 3] .note.gnu.build-i NOTE            08048188 000188 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        080481ac 0001ac 000044 04   A  5   0  4
  [ 5] .dynsym           DYNSYM          080481f0 0001f0 0004e0 10   A  6   1  4
  [ 6] .dynstr           STRTAB          080486d0 0006d0 000349 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          08048a1a 000a1a 00009c 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         08048ab8 000ab8 000090 00   A  6   1  4
  [ 9] .rel.dyn          REL             08048b48 000b48 000030 08   A  5   0  4
  [10] .rel.plt          REL             08048b78 000b78 000228 08   A  5  12  4
  [11] .init             PROGBITS        08048da0 000da0 000024 00  AX  0   0  4
  [12] .plt              PROGBITS        08048dd0 000dd0 000460 04  AX  0   0 16
  [13] .text             PROGBITS        08049230 001230 006f2c 00  AX  0   0 16
  [14] .fini             PROGBITS        0805015c 00815c 000015 00  AX  0   0  4
  [15] .rodata           PROGBITS        08050180 008180 000e86 00   A  0   0 32
  [16] .eh_frame_hdr     PROGBITS        08051008 009008 0002d4 00   A  0   0  4
  [17] .eh_frame         PROGBITS        080512dc 0092dc 000d30 00   A  0   0  4
  [18] .init_array       INIT_ARRAY      08053f04 00af04 000004 00  WA  0   0  4
  [19] .fini_array       FINI_ARRAY      08053f08 00af08 000004 00  WA  0   0  4
  [20] .jcr              PROGBITS        08053f0c 00af0c 000004 00  WA  0   0  4
  [21] .dynamic          DYNAMIC         08053f10 00af10 0000e8 08  WA  6   0  4
  [22] .got              PROGBITS        08053ff8 00aff8 000008 04  WA  0   0  4
  [23] .got.plt          PROGBITS        08054000 00b000 000120 04  WA  0   0  4
  [24] .data             PROGBITS        08054120 00b120 00003c 00  WA  0   0  4
  [25] .bss              NOBITS          08054160 00b15c 0005c4 00  WA  0   0 32
  [26] .gnu_debuglink    PROGBITS        00000000 00b15c 000008 00      0   0  1
  [27] .shstrtab         STRTAB          00000000 00b164 0000fc 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)
==============================

But, according the kernel elf loader :

linux-3.7.4/fs/binfmt_elf.c:
static int load_elf_binary(...)
{
    ...
    for(i = 0, elf_ppnt = elf_phdata;
        i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
        ...
        if (elf_ppnt->p_type != PT_LOAD)
            continue;
    ...
}

The kernel elf loader just load PT_LOAD segment, but GNU_RELRO is not PT_LOAD type ?


   GNU_RELRO is a subset of PT_LOAD 2 i.e. 2nd Loadable segment. This type of adjustment I had seen in WindRiver distribution of Linux. This is actually made to avoid unnecessary application crash (segmentation faults) which I will explain later.

First Let us look at Section to Segment mapping.
Sections 1 to 17 which have access permissions AX are mapped to 1st Loadable segment (Code)
Sections 18 to 26 which have access permissions WA are mapped to 2nd Loadable segment (Data)
Of these Section 18 to 22 are also mapped to GNU_RELRO.

When an application is initiated for execution sections 18 to 22 will be accessed by the dynamic linker to edit few locations  . Since dynamic linker code also will be mapped to the virtual address space of the application (see /proc/self/maps), virtual address associated to sections 18 to 22 should have write permissions for the dynamic linker to write into those sections.

And the application's code has explicitly nothing to do with the sections 18 to 22, though the execution control passes through these sections without the knowledge of the application programmer.

Thus once the dynamic linker finishes its job, this trick is done to split the virtual address region 08053000-08055000 to
08053000-08054000 r--p 0000a000 08:01 261656     /bin/cat
08054000-08055000 rw-p 0000b000 08:01 261656     /bin/cat

If you carefully observe, section 23 (.got.plt) is still part of the virtual address region 08054000-08055000, even though the application code has nothing to do with this section explicitly. This is because of lazy binding adopted by dynamic linker. The dynamic linker will put its hand on to this section when the application invokes some of the library functions.

Why this trick ?

Suppose the entire virtual address region 08053000-08055000 is RW. The application can inadvertently access the addresses which are mapped to section 18 to 22 and cause the application to crash.

For eg.

int a[3]; // Suppose address of a is 0x08054160 belongs to .bss

int main()
{
    a[-0x168] = 12;
   
     return 0;
}

Since a[-0x168] is *(a-0x168). This will generate the address 0x08053FF8 which belongs to .got section (sec 22).
This code will be writing into the .got section and cause the app. to crash at some point later.

To avoid this type of errors, sections 18 to 22 will be marked as READONLY, so that the kernel can do a access type
validation of the generated address and not allow the program to write into READONLY area.

Regards,
Prabhunath G
Linux Trainer
Bangalore


At 2013-03-07 18:53:46,"Prabhu nath" <gprabhunath at gmail.com> wrote:
Looks like they have added a new section GNU_RELRO in the later versions. The one you are referring is read-only section. It would be nice if you share the section header table.
Plz see inline


Regards,
Prabhunath G
Linux Trainer
Bangalore




On Thu, Mar 7, 2013 at 3:31 PM, Jacky <jackyclivia at 163.com> wrote:

Dear all,

This is the Program Header for "cat" info:

================================
readelf -l /bin/cat
...
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x00120 0x00120 R E 0x4
  INTERP         0x000154 0x08048154 0x08048154 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x0a00c 0x0a00c R E 0x1000
  LOAD           0x00af04 0x08053f04 0x08053f04 0x00258 0x00820 RW  0x1000
  DYNAMIC        0x00af10 0x08053f10 0x08053f10 0x000e8 0x000e8 RW  0x4
  NOTE           0x000168 0x08048168 0x08048168 0x00044 0x00044 R   0x4
  GNU_EH_FRAME   0x009008 0x08051008 0x08051008 0x002d4 0x002d4 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
  GNU_RELRO      0x00af04 0x08053f04 0x08053f04 0x000fc 0x000fc R   0x1
==============================

So there are just 2 PT_LOAD segments. But why kernel maps 3 memory regions ? The following is the maps output:


Though the second PT_LOAD starts at the file offset  0xaf04, The first fc bytes belong to GNU_RELRO segment (The last entry in the Program Header). If you add af04 +fc you get afff. Looks like they have placed this section advertently in such a way that the actual DATA segment will start at the next virtual address page boundary 0x08054000. Thus the GNU_RELRO section with read-only permissions is placed in the separate virtual address region.
    This is the result of the maps file you see below.

============================
cat /proc/self/maps

08048000-08053000 r-xp 00000000 08:01 261656     /bin/cat
08053000-08054000 r--p 0000a000 08:01 261656     /bin/cat
08054000-08055000 rw-p 0000b000 08:01 261656     /bin/cat
09b58000-09b79000 rw-p 00000000 00:00 0          [heap]
b75bd000-b75be000 rw-p 00000000 00:00 0
b75be000-b7761000 r-xp 00000000 08:01 523958     /lib/i386-linux-gnu/libc-2.15.so
...
==================

The above output, there are 3 memory regions for "/bin/cat", and what is the following segment:

08053000-08054000 r--p 0000a000 08:01 261656     /bin/cat

According the 'cat' program header, there is no "r" segment.


Regards,
Jacky


 










_______________________________________________
Kernelnewbies mailing list
Kernelnewbies at kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20130308/02857d15/attachment-0001.html 


More information about the Kernelnewbies mailing list