| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Jul 2020 15:51:24 +0800
From: Tiezhu Yang <yangtiezhu@...ngson.cn>
To: "Maciej W. Rozycki" <macro@....com>
Cc: Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
linux-mips@...r.kernel.org, linux-kernel@...r.kernel.org,
Kees Cook <keescook@...omium.org>,
Xuefeng Li <lixuefeng@...ngson.cn>,
Juxin Gao <gaojuxin@...ngson.cn>,
"Maciej W. Rozycki" <macro@...ux-mips.org>
Subject: Re: [PATCH] MIPS: Prevent READ_IMPLIES_EXEC propagation
On 07/08/2020 03:45 AM, Maciej W. Rozycki wrote:
> On Tue, 7 Jul 2020, Tiezhu Yang wrote:
>
>> In the MIPS architecture, we should clear the security-relevant
>> flag READ_IMPLIES_EXEC in the function SET_PERSONALITY2() of the
>> file arch/mips/include/asm/elf.h.
>>
>> Otherwise, with this flag set, PROT_READ implies PROT_EXEC for
>> mmap to make memory executable that is not safe, because this
>> condition allows an attacker to simply jump to and execute bytes
>> that are considered to be just data [1].
> Why isn't the arrangement made with `mips_elf_read_implies_exec'
> sufficient?
We inherit the READ_IMPLIES_EXEC personality flag across fork().
If we do not explicitly clear this flag in SET_PERSONALITY2(),
PROT_READ implies PROT_EXEC for mmap to make memory executable
even if used with the GCC option "-z noexecstack" when compile.
By the way, we can see some other reasons in the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=48f99c8ec0b2
>
> Maciej
Powered by blists - more mailing lists