Subject: Re: mmap(), security and /dev/zero
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 06/21/2004 19:58:43
On Mon, Jun 21, 2004 at 04:47:37PM -0700, Jonathan Stone wrote:
>
> So two questions:
>
> 1. Assuming non-executable mappings correctly honour noexec mounts,
> the hole Thor noted is now fixed, correct? Do we have a regression
> suite to check for that?
"Not exactly". I believe we decided to not require the x bit on files
backing executable mappings, because this would be a painful user-visible
change (every shared object on the system would require x added to its
permissions). I don't know if the non-executable support we now have on
x86 can even handle enough arbitrary regions to deal with programs
dlopening large numbers of objects; remember, the way it works is pretty
evil.
And, of course, we have architectures that still can't enforce PROT_EXEC.
But I do still think we should require it, at least by design (meaning
that where we can't do read-but-not-exec, it just wouldn't work as designed);
there is prior art for this, too, as I understand it: HP/UX requires X on
shared objects and, I think, anything else mmaped() with PROT_EXEC.
There's a hole rather worse than the one I originally noticed, of course;
dlopen or not, you can jump into code in malloc()ed, mmap()ed, or stack
memory. I believe some Linux rootkits now include hand-rolled dynamic
loaders for this exact purpose.
Thor