Hello,
I have been investigating the use of the --dynamicbase linker option
with MinGW-w64 to generate ASLR-compatible executables. However, I've
run into a few problems.
To simplify the discussion, here's a test program, mingw-aslr.c:
#include <stdio.h>
int main(void) { printf("main = %p\n", main); return 0; }
I will show examples with the 32-bit toolchain, but these problems
also apply to the x86_64 version. I am testing with toolchains built
by Gentoo's crossdev tool.
The base compile command looks like this:
$ i686-w64-mingw32-gcc mingw-aslr.c -o mingw-aslr.exe
This executable works, but it always loads at the specified base
address, 0x400000. This is expected behavior, since we haven't marked
the executable as compatible with ASLR.
Adding '-Wl,--dynamicbase' generates an executable that has the
"Dynamic base" flag enabled in DllCharacteristics, but it always loads
at 0x400000. This is because it does not have any relocation
information.
Adding '-pie' generates an executable with the dynamic base flag and
with relocations, but it has an incorrect entry point and will not run
correctly:
$ i686-w64-mingw32-objdump -p mingw-aslr.exe | grep AddressOfEntryPoint
AddressOfEntryPoint 00001000
The code at offset 0x1000 is ___mingw_invalidParameterHandler (not the
correct entry point), which means the program will crash when
starting.
(Additionally, the generated executable has an apparently redundant,
empty export directory (.edata section).)
Adding '-Wl,-e_mainCRTStartup' to force the entry point creates a
working executable with relocations and ASLR enabled; everything works
correctly with this set of options. However, it seems unlikely that
requiring the entry point to be specified manually is intended
behavior.
$ i686-w64-mingw32-objdump -p mingw-aslr.exe | grep AddressOfEntryPoint
AddressOfEntryPoint 000014e0
mingw.org (non-w64) gcc generates .exes that are relocatable and run
correctly with -pie, although this may be by accident;
___mingw_CRTStartup happens to be located at offset 0x1000 in the test
executable.
So, this leads us to a list of questions:
Why does --dynamicbase not enable generation of .reloc?
Barring that, is the -pie option the correct way to force generation
of .reloc for .exe files?
If so, why does adding -pie set an incorrect entry point?
Thanks,
-- Daniel Verkamp
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
