Suppose there is a certain ./a.out (obtained from C), which displays the address returned by the first malloc (of course, the same actions are always performed on the way to it).

With each launch, we see different numbers
- This is a feature of Linux (it can also be implemented on other systems) to run the program so that the stack, heap and area for mapping files are located at random addresses).

But if you look in gdb or run this ./a.out in valgrind, you will see the same address.

The question is how to run (without apt-get install valgrind) ./a.out so that the print address is always the same?

  • Wow, why bother? Maybe the ASLR outage is necessary (or what is this feature called under Linux?) - VladD
  • @VladD, yes! You are the first. (this is an experiment, the beginning was in the chat, you missed it) - avp
  • Well, it is necessary, for example, diff-oh debug printing compare. - avp
  • Intrigued, left to read chat :) - VladD
  • one
    Yeah, read. We assume that I lost Google five times. :) (Although working time probably excuses me.) - VladD

1 answer 1

As rightly noted in the comments, what you encounter is called ASLR - address space randomization. The technology is supported in all modern OS.

But, besides OS support, binaries should also be compiled in a special way. For example, GCC has options for compiling with ASLR support: -fPIC/-fpic and -fPIE/-fpie .

In Linux, supporting the ASLR at the OS level can be disabled by hand :

 sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'

and turn back:

 sudo bash -c 'echo 2 > /proc/sys/kernel/randomize_va_space'

Finally, Linux has a hardening-check utility that determines whether a binary is compiled with randomization support or not.

UPD:

It turns out that there are as many as 5 types of randomization:

  • Stack ASLR
  • Libs / mmap ASLR
  • Exec ASLR - this type is set by fPIE flags when compiling
  • brk ASLR
  • VDSO ASLR

And in the docks they write that for randomization of mallocs brk ASLR is used .

Those. it turns out that for some randomization you need to specify special flags when compiling the program, and some work out of the box by default. So, to completely eliminate any randomization, you need to disable ASLR at the OS / level during the session ( setarch $(uname -m) -RL bash ).

  • At least in x86_64 GNU / Linux pic/pie not needed. - avp
  • @avp why not need? - αλεχολυτ
  • @alexolut, because the phenomenon is observed with the broadcast without them. - avp
  • And what does hardening-check show? - zed
  • Did you mean this avp@avp-ubu1:hash_misc$ gcc clist_test.c; hardening-check ./a.out ./a.out: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no, not found! avp@avp-ubu1:hash_misc$ avp@avp-ubu1:hash_misc$ gcc clist_test.c; hardening-check ./a.out ./a.out: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no, not found! avp@avp-ubu1:hash_misc$ avp@avp-ubu1:hash_misc$ gcc clist_test.c; hardening-check ./a.out ./a.out: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: no, only unprotected functions found! Read-only relocations: yes Immediate binding: no, not found! avp@avp-ubu1:hash_misc$ ? - avp pm