tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] fexecve



On Nov 16, 2012, at 9:50 AM, Thor Lancelot Simon wrote:

> On Fri, Nov 16, 2012 at 11:31:20AM -0600, Eric Haszlakiewicz wrote:
>> On Thu, Nov 15, 2012 at 07:39:03PM -0500, Thor Lancelot Simon wrote:
>>> On Thu, Nov 15, 2012 at 05:18:04PM -0600, Eric Haszlakiewicz wrote:
>>>> 
>>>> Well setuid executables seem like a special case, but other than that, I
>>>> think I can probably manage to execute something without an exec call.
>>>> In fact I know I can, just by linking against any dynamic library and
>>>> calling one of the functions in it.
>>> 
>>> You can't load a dynamic library that's on a filesystem mounted noexec.
>> 
>> er... so the dynamic linker looks like it tries to mmap the file with execute
>> permissions, and that fails, but what's to prevent me from just reading the 
>> file into memory and jumping to that address?  I feel like I'm missing 
>> something here...
> 
> If it's not mapped MAP_EXEC, you can't jump there.  If you can, you either
> have a hardware limitation that makes W^X impossible, or you have a pmap
> bug.

Assuming the MMU h/w supports the concept of exec pages.  Only recently
have some ARM, MIPS, and PowerPC chips added "no-execute" support.


Home | Main Index | Thread Index | Old Index