Subject: Re: mmap(), security and /dev/zero
To: Jonathan Stone <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 06/21/2004 19:58:43
On Mon, Jun 21, 2004 at 04:47:37PM -0700, Jonathan Stone wrote:
> So two questions: 
> 1. Assuming non-executable mappings correctly honour noexec mounts,
>    the hole Thor noted is now fixed, correct? Do we have a regression
>    suite to check for that?

"Not exactly".  I believe we decided to not require the x bit on files
backing executable mappings, because this would be a painful user-visible
change (every shared object on the system would require x added to its
permissions).  I don't know if the non-executable support we now have on
x86 can even handle enough arbitrary regions to deal with programs
dlopening large numbers of objects; remember, the way it works is pretty

And, of course, we have architectures that still can't enforce PROT_EXEC.
But I do still think we should require it, at least by design (meaning
that where we can't do read-but-not-exec, it just wouldn't work as designed);
there is prior art for this, too, as I understand it: HP/UX requires X on
shared objects and, I think, anything else mmaped() with PROT_EXEC.

There's a hole rather worse than the one I originally noticed, of course;
dlopen or not, you can jump into code in malloc()ed, mmap()ed, or stack
memory.  I believe some Linux rootkits now include hand-rolled dynamic
loaders for this exact purpose.