tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] fexecve
On Nov 16, 2012, at 9:50 AM, Thor Lancelot Simon wrote:
> On Fri, Nov 16, 2012 at 11:31:20AM -0600, Eric Haszlakiewicz wrote:
>> On Thu, Nov 15, 2012 at 07:39:03PM -0500, Thor Lancelot Simon wrote:
>>> On Thu, Nov 15, 2012 at 05:18:04PM -0600, Eric Haszlakiewicz wrote:
>>>>
>>>> Well setuid executables seem like a special case, but other than that, I
>>>> think I can probably manage to execute something without an exec call.
>>>> In fact I know I can, just by linking against any dynamic library and
>>>> calling one of the functions in it.
>>>
>>> You can't load a dynamic library that's on a filesystem mounted noexec.
>>
>> er... so the dynamic linker looks like it tries to mmap the file with execute
>> permissions, and that fails, but what's to prevent me from just reading the
>> file into memory and jumping to that address? I feel like I'm missing
>> something here...
>
> If it's not mapped MAP_EXEC, you can't jump there. If you can, you either
> have a hardware limitation that makes W^X impossible, or you have a pmap
> bug.
Assuming the MMU h/w supports the concept of exec pages. Only recently
have some ARM, MIPS, and PowerPC chips added "no-execute" support.
Home |
Main Index |
Thread Index |
Old Index