Fixed offset in linux ASLR?

  • I just printed function addresses and offset between two functions, but the offset is fixed whenever the program is executed (base address is only changed).

    Code (test.c)

    #include <stdio.h>
    #include <stdint.h>
    void func() {
    void func2() {
    int main() {
        uintptr_t main_addr = main;
        uintptr_t func_addr = func;
        uintptr_t func2_addr = func2;
        printf("main_addr: %p\n", main_addr);
        printf("func_addr: %p\n", func_addr);
        printf("func2_addr: %p\n", func2_addr);
        printf("offset (main - func): %ld\n", main_addr - func_addr);
        printf("offset (main - func2): %ld\n", main_addr - func2_addr);


    gcc test.c


    (1st execution)
    main_addr: 0x5578d1296190
    func_addr: 0x5578d129616a
    func2_addr: 0x5578d129617d
    offset (main - func): 38
    offset (main - func2): 19
    (2nd execution)
    main_addr: 0x55bf299d9190
    func_addr: 0x55bf299d916a
    func2_addr: 0x55bf299d917d
    offset (main - func): 38
    offset (main - func2): 19
    (3rd execution)
    main_addr: 0x55ba4767d190
    func_addr: 0x55ba4767d16a
    func2_addr: 0x55ba4767d17d
    offset (main - func): 38
    offset (main - func2): 19

    My kernel version is 5.4 (i.e., ubuntu 18.04)

    So, my questions are:

    1. Is this expected behavior(fixed offset) in ubuntu 18.04?
    2. How can I make a situation that randomizes not only base address, but also offset.

    Thank you

  • ASLR is about randomizing the layout of dynamically-linked libraries used by your code, not about randomizing within your program. The goal is to prevent an attacker from being able to simply hard-code the location of something like exec into a remote-execution exploit.

    To illustrate, two different copies of bash from my computer have libc at different addresses according to /proc/[pid]/maps:

    7fd647904000-7fd647a47000 r-xp 00022000 00:12 12970738                   /lib64/
    7f2b574cd000-7f2b57610000 r-xp 00022000 00:12 12970738                   /lib64/

    Instead of looking at addresses within your code, try checking the address of a library function, such as printf.

Log in to reply

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2