| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Apr 13 04:35:01 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: linux bugs (survival stories)? On Wed, 13 Apr 2005 01:41:03 BST, pageexec@...email.hu said: > the real problem with the current linux noexec mount handling is > that by not restricting mprotect one can just construct an ELF file > that when mmap'ed will overlap the stack and call mprotect and > execute your code, effectively circumventing this measure (there was > a longish thread on this topic last May on dailydave), this gives > you a false sense of security only, not security. without such a > restriction a sysadmin cannot enforce a W^X policy at the file > system level. NetBSD (maybe the others as well, i didn't check) > and PaX both forbid mprotect(PROT_EXEC) on noexec mounts for this > reason. Now this, unlike the /lib/ld-linux.so hack, is a still-existing issue. However, this is getting rather far afield, because: 1) This is quite arguably a "design decision" rather than an outright bug. 2) Whether it's a bug or not, it only impacts userspace security - and we started off discussing protecting the kernel itself from kernel bugs.... (Not that I'm adverse to a thread on "what the kernel could do to harden userspace" - but somebody needs to change the Subject: line if we go that way...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050412/c129ef86/attachment.bin
Powered by blists - more mailing lists