[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200504130334.j3D3Yih6012158@turing-police.cc.vt.edu>
Date: Wed Apr 13 04:35:01 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: linux bugs (survival stories)?
On Wed, 13 Apr 2005 01:41:03 BST, pageexec@...email.hu said:
> the real problem with the current linux noexec mount handling is
> that by not restricting mprotect one can just construct an ELF file
> that when mmap'ed will overlap the stack and call mprotect and
> execute your code, effectively circumventing this measure (there was
> a longish thread on this topic last May on dailydave), this gives
> you a false sense of security only, not security. without such a
> restriction a sysadmin cannot enforce a W^X policy at the file
> system level. NetBSD (maybe the others as well, i didn't check)
> and PaX both forbid mprotect(PROT_EXEC) on noexec mounts for this
> reason.
Now this, unlike the /lib/ld-linux.so hack, is a still-existing issue.
However, this is getting rather far afield, because:
1) This is quite arguably a "design decision" rather than an outright bug.
2) Whether it's a bug or not, it only impacts userspace security - and we
started off discussing protecting the kernel itself from kernel bugs....
(Not that I'm adverse to a thread on "what the kernel could do to harden
userspace" - but somebody needs to change the Subject: line if we go that way...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050412/c129ef86/attachment.bin
Powered by blists - more mailing lists