Joined: 07 May 2019
Posts: 100
Location: Paris/French
MaoKo 21 Oct 2020, 03:16
Hello. I'm trying to understand GNU_RELRO.
It's seem that GNU_RELRO is relevant only when it's offset is the same of an another segment (I'm not sure about this).
LOAD           0x0000000000002e28 0x0000000000003e28 0x0000000000003e28 0x0000000000000200 0x0000000000000208  RW  0x1000
 . . . 
GNU_RELRO      0x0000000000002e28 0x0000000000003e28 0x0000000000003e28 0x00000000000001d8 0x00000000000001d8  R      0x1

And in common ELF, this target segment is paired with section like ".got, .got.plt".
My goal is to change dynamically a writable segment into a read-only segment at runtime (without explicit call to mprotect).
But in this code:
format ELF executable $03
entry _start

segment executable readable
  mov byte [_], $00
  mov eax, $01
  xor ebx, ebx
  int $80

segment gnurelro
segment writable readable
_: db ?

the mapping for the second LOAD segment is always rw-. The write permission is still present.
So I guess the "relro trigger" is with the dynamic loader. But when I add:
segment interpreter
db "/usr/lib32/ld-2.32.so", $00 ; on my system

no matter if I have included the gnurelro or not, it's always segfault.
The strace:
execve("./a", ["./a"], 0x7ffed7a53df0 /* 38 vars */) = 0
[ Process PID=30501 runs in 32 bit mode. ]
brk(NULL)                               = 0x94b2000
arch_prctl(0x3001 /* ARCH_??? */, 0xffc74d58) = -1 EINVAL (Invalid argument)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x4} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

I would be very grateful if someone can explain me what happened Smile.
Have a nice day.
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20220
Location: In your JS exploiting you and your system
revolution 22 Oct 2020, 04:25
Your interpreter has nothing to interpret.

Try adding some dependencies from libc or something.
