3.12 exec*()对ASLR的影响 https://scz.617.cn/unix/201205231543.txt D: -------------------------------------------------------------------------- /* * gcc-3.3 -Wall -pipe -O3 -s -o first first.c */ #include #include int main ( int argc, char * argv[] ) { char var[64]; printf( "var is at %p\n", &var ); execl( "./second", NULL ); return( 0 ); } /* end of main */ -------------------------------------------------------------------------- /* * gcc-3.3 -Wall -pipe -O3 -s -o second second.c */ #include int main ( int argc, char * argv[] ) { char buf[64]; printf( "buf is at %p\n", &buf ); return( 1 ); } /* end of main */ -------------------------------------------------------------------------- $ uname -a Linux debian 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux $ for ((i=0;i<16;i++));do ./first;done var is at 0xbfc668e0 1-bits buf is at 0xbfc668f0 var is at 0xbfd211a0 * buf is at 0xbfd211a0 var is at 0xbf9465c0 1-bits buf is at 0xbf9465d0 var is at 0xbfca5920 buf is at 0xbfca5700 var is at 0xbfad9750 buf is at 0xbfa61ee0 var is at 0xbfad0750 buf is at 0xbf9eb670 var is at 0xbfb15f90 buf is at 0xbfffe480 var is at 0xbff233a0 buf is at 0xbff6e3f0 var is at 0xbf8c3540 buf is at 0xbfe752f0 var is at 0xbfde5260 buf is at 0xbfd97a10 var is at 0xbfd519d0 buf is at 0xbff6fbf0 var is at 0xbfa6f6f0 buf is at 0xbfa3a6c0 var is at 0xbfdcf250 * buf is at 0xbfdcf250 var is at 0xbfd331b0 * buf is at 0xbfd331b0 var is at 0xbf8f5570 * buf is at 0xbf8f5570 var is at 0xbf9655e0 * buf is at 0xbf9655e0 总共运行了16次first,对比exec*()之后second的stack地址,其中5次stack没有随 机化,2次stack只变了1-bits。至少在2.6.18内核上,exec*()弱化了ASLR的效果。 $ uname -r 3.4.0-scz-20120531 $ for ((i=0;i<16;i++));do ./first;done var is at 0xbf8c9f90 buf is at 0xbfdced00 var is at 0xbfbbf7e0 buf is at 0xbfd2a210 var is at 0xbf95e5a0 buf is at 0xbfa82000 var is at 0xbf9c81c0 buf is at 0xbfc48fb0 var is at 0xbfe39eb0 buf is at 0xbfdf45a0 var is at 0xbff18cd0 buf is at 0xbfb2d0b0 var is at 0xbf85af20 buf is at 0xbf8041e0 var is at 0xbf988880 buf is at 0xbf805130 var is at 0xbfae2920 buf is at 0xbf855410 var is at 0xbf90cf80 buf is at 0xbfe7acc0 var is at 0xbf8e8640 buf is at 0xbfbcc7c0 var is at 0xbf96e050 buf is at 0xbf94e590 var is at 0xbf969b20 buf is at 0xbf8d28e0 var is at 0xbfa1dba0 buf is at 0xbfc209d0 var is at 0xbf953320 buf is at 0xbffa45b0 var is at 0xbfdeafb0 buf is at 0xbffc4980 新版本的内核上,已经不存在exec*()弱化ASLR效果的问题。