Subject: Re: mmap(), security and /dev/zero
To: None <>
From: Jonathan Stone <>
List: tech-kern
Date: 06/21/2004 17:19:46
In message <>,
Thor Lancelot Simon writes:

>On Mon, Jun 21, 2004 at 04:47:37PM -0700, Jonathan Stone wrote:
>> So two questions: 
>> 1. Assuming non-executable mappings correctly honour noexec mounts,
>>    the hole Thor noted is now fixed, correct? Do we have a regression
>>    suite to check for that?
>"Not exactly". I believe we decided to not require the x bit on files
>backing executable mappings, because this would be a painful user-visible
>change [...]

Oh dear. Seems like 2.0 would have been an Very Good Time to force
that particular flag-day.

>There's a hole rather worse than the one I originally noticed, of course;
>dlopen or not, you can jump into code in malloc()ed, mmap()ed, or stack
>memory.  I believe some Linux rootkits now include hand-rolled dynamic
>loaders for this exact purpose.

Mais d'accord. The only way to stop that is NX page bits. (Or other
ways to segregate writable pages from executable.) 

Even so (assuming you can suitable target code), you can code up an
exploit to overwrite the stack so as to return to that code, and give
it arguments to do whatever bad stuff you want.

Which is partly why I asked about totally-nodev chroot areas.