Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Jun 2017 08:26:10 -0400
From: Rich Felker <>
Subject: Re: a possible need for MAP_FIXED in ldso/dynlink.c ?

On Sat, Jun 10, 2017 at 12:51:51PM +0200, wrote:
> Hello,
> Running musl-based (1.1.16) Linux binaries (i386) under Linux ABI
> on FreeBSD (11.0-RELEASE amd64), with explicit use of the loader like
>  /..../ --library-path <something> <prog> <args>
> fails when mmap() returns a different address than requested
> which is rejected by the musl loader when mapping the executable:
> "Not a valid dynamic program",
> due to:
>         map = ....
>                 : mmap((void *)addr_min, map_len, prot,
>                         MAP_PRIVATE, fd, off_start);
>  ...
>         /* If the loaded file is not relocatable and the requested address is
>          * not available, then the load operation must fail. */
>         if (eh->e_type != ET_DYN && addr_min && map!=(void *)addr_min) {
>                 errno = EBUSY;
>                 goto error;
>  ...
> mmap() returning a different address does not necessarily mean that
> the requested one is not available.
> I wonder whether adding MAP_FIXED to MAP_PRIVATE above would be a
> useful approach (conditionally on eh->e_type==ET_EXEC ?).
> Adding the MAP_FIXED flag, both conditionally or not, seems to work
> around the particular problem but I am unsure about all its implications
> and consequences, among others under the current Linux implementation
> of the Lunux ABI.

Use of MAP_FIXED with a memory range you don't already own is an
invalid and unsafe operation. You may end up mapping over top of
yourself, even. Implementations should honor the requested address
passed to mmap and only fail to provide it if it's already in use.

Basically MAP_FIXED is analogous to dup2, and mmap with a preferred
address but no MAP_FIXED is analogous to fcntl F_DUPFD. Breaking the
latter is popular among security snakeoil products but really has no
benefits, since applications that don't have a reason for requesting a
particular address should, and do, pass 0 as the request.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.