lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 04 Oct 2006 23:06:40 +0400
From:	Stas Sergeev <stsp@...et.ru>
To:	Jakub Jelinek <jakub@...hat.com>
Cc:	Arjan van de Ven <arjan@...radead.org>,
	Linux kernel <linux-kernel@...r.kernel.org>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Hugh Dickins <hugh@...itas.com>,
	Ulrich Drepper <drepper@...hat.com>, Valdis.Kletnieks@...edu
Subject: Re: [patch] remove MNT_NOEXEC check for PROT_EXEC mmaps

Hi.

Jakub Jelinek wrote:
> Even assuming ld.so would be hacked up so that it parses /proc/mounts
> to see if you are trying to run an executable via ld.so from
> noexec mount (which isn't going to happen),
No, the solution I wanted to evaluate, is "chmod 'go-x' ld.so".
For that to work, something like this is needed:
http://uwsg.ucs.indiana.edu/hypermail/linux/kernel/0609.3/2322.html
Then you can't invoke ld.so directly and if you happen to
have "noexec" on all the writeable mounts, then you can't
also use your own ld.so.

> if mmap with PROT_EXEC
> is allowed on noexec mounts, you can always put there a shared
> library instead of a binary and put some interesting stuff in its
> constructors and then just LD_PRELOAD=/dev/shm/libmyhack.so /bin/true
Of course if ld.so would check /proc/mounts, then it will
do so also for the shared libs, so LD_PRELOAD won't trick it.
I understand that parsing /proc/mounts is silly (I have
admitted that earlier in that thread already), but why not to
at least check the access(X_OK)? ld.so _must_ check access(X_OK)
before executing - why not yet?
Oh wait, access(X_OK) doesn't seem to work...
The attached patch is needed to get it working.
Does the patch look good? I think it was just a bug.

> Really, if noexec is supposed to make any sense at all, it needs
> to prevent PROT_EXEC mapping/mprotect, otherwise it is completely
> useless.
Why not having an exec perm on a file doesn't prevent PROT_EXEC then?

In any case, guys, can the attached patch be applied?
Arjan, it enforces "noexec", just as you wanted to see. :)
Please say "no" now, not when I mail it to Andrew, if possible.


View attachment "acc_noex.diff" of type "text/plain" (666 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ