lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b946dd861874401a910740a9adea8e8e@AcuMS.aculab.com>
Date:   Mon, 8 Jul 2019 12:42:15 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Salvatore Mesoraca' <s.mesoraca16@...il.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Brad Spengler <spender@...ecurity.net>,
        "Casey Schaufler" <casey@...aufler-ca.com>,
        Christoph Hellwig <hch@...radead.org>,
        James Morris <james.l.morris@...cle.com>,
        Jann Horn <jannh@...gle.com>,
        "Kees Cook" <keescook@...omium.org>,
        PaX Team <pageexec@...email.hu>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: RE: [PATCH v5 06/12] S.A.R.A.: WX protection

From: Salvatore Mesoraca
> Sent: 06 July 2019 11:55
...
> Executable MMAP prevention works by preventing any new executable
> allocation after the dynamic libraries have been loaded. It works under the
> assumption that, when the dynamic libraries have been finished loading, the
> RELRO section will be marked read only.

What about writing to the file of a dynamic library after it is loaded
but before it is faulted it (or after evicting it from the I$).

...
> +#define find_relro_section(ELFH, ELFP, FILE, RELRO, FOUND) do {		\
> +	unsigned long i;						\
> +	int _tmp;							\
> +	loff_t _pos = 0;						\
> +	if (ELFH.e_type == ET_DYN || ELFH.e_type == ET_EXEC) {		\
> +		for (i = 0; i < ELFH.e_phnum; ++i) {			\
> +			_pos = ELFH.e_phoff + i*sizeof(ELFP);		\
> +			_tmp = kernel_read(FILE, &ELFP, sizeof(ELFP),	\
> +					   &_pos);			\
> +			if (_tmp != sizeof(ELFP))			\
> +				break;					\
> +			if (ELFP.p_type == PT_GNU_RELRO) {		\
> +				RELRO = ELFP.p_offset >> PAGE_SHIFT;	\
> +				FOUND = true;				\
> +				break;					\
> +			}						\
> +		}							\
> +	}								\
> +} while (0)

This is big for a #define.
Since it contains kernel_read() it can't really matter if it is
a real function.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ