lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4768E02F.20700@cosmosbay.com>
Date:	Wed, 19 Dec 2007 10:11:11 +0100
From:	Eric Dumazet <dada1@...mosbay.com>
To:	dotanb@....mellanox.co.il
CC:	linux-kernel@...r.kernel.org
Subject: Re: The code segment of the user level in PPC64 are in VMAs with
 write permissions

Dotan Barak a écrit :
> Hi all.
> 
> I noticed that the code segment of the user level in PPC64 machines
> is in a VMA with a write permission enabled.
> 
> I'm using the following machine attributes:
> *************************************************************
> Host Name         : mtlsqt185
> Host Architecture : ppc64
> Linux Distribution: SUSE Linux Enterprise Server 10 (ppc) VERSION = 10 
> PATCHLEVEL = 1
> Kernel Version    : 2.6.16.53-0.16-ppc64
> GCC Version       : gcc (GCC) 4.1.2 20070115 (prerelease) (SUSE Linux)
> Memory size       : 1740232 kB
> Number of CPUs    : 8
> cpu MHz           : 4005.000000MHz
> Driver Version    : OFED-1.2.5.4-20071210-0614
> HCA ID(s)         : mlx4_0
> HCA model(s)      : 25418
> FW version(s)     : 2.3.906
> Board(s)          : IBM08A0000001
> *************************************************************
> 
> I printed the address of a function in my program and i got the value 
> 0x1005ac80.
> 
> I printed the VMAs in my process and i got the following output:
> mtlsqt185:~ # cat /proc/17366/maps
> 00100000-00103000 r-xp 00100000 00:00 0
> 10000000-1004a000 r-xp 00000000 08:03 1063667                            
> /tmp/tsscr/svn.mlx_tp/branches/ofed1.2.5/gen2/userspace/useraccess/gen2_basic/gen2_basic 
> 
> 1005a000-1005e000 rw-p 0004a000 08:03 1063667                            
> /tmp/tsscr/svn.mlx_tp/branches/ofed1.2.5/gen2/userspace/useraccess/gen2_basic/gen2_basic 
> 
> 1005e000-1015f000 rw-p 1005e000 00:00 0                                  
> [heap]
> 
> Is this is a security hole (any virus can change the code in the code 
> segment ...)
> 
> can you please CC me the answers o this question?
> 

This is because on PPC architecture, address of a function points to a small
data area (a function descriptor) where the caller can find informations about :

- Address (in the text segment, so readonly) of the target function
- Address of the TOC for this function.


http://www.linux-foundation.org/spec/ELF/ppc64/PPC-elf64abi-1.9.html#FUNC-ADDRESS
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ