[Full-disclosure] linux bugs (survival stories)?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Apr 13 04:34:43 BST 2005
On Wed, 13 Apr 2005 01:41:03 BST, pageexec at freemail.hu said:
> the real problem with the current linux noexec mount handling is
> that by not restricting mprotect one can just construct an ELF file
> that when mmap'ed will overlap the stack and call mprotect and
> execute your code, effectively circumventing this measure (there was
> a longish thread on this topic last May on dailydave), this gives
> you a false sense of security only, not security. without such a
> restriction a sysadmin cannot enforce a W^X policy at the file
> system level. NetBSD (maybe the others as well, i didn't check)
> and PaX both forbid mprotect(PROT_EXEC) on noexec mounts for this
> reason.
Now this, unlike the /lib/ld-linux.so hack, is a still-existing issue.
However, this is getting rather far afield, because:
1) This is quite arguably a "design decision" rather than an outright bug.
2) Whether it's a bug or not, it only impacts userspace security - and we
started off discussing protecting the kernel itself from kernel bugs....
(Not that I'm adverse to a thread on "what the kernel could do to harden
userspace" - but somebody needs to change the Subject: line if we go that way...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050412/c129ef86/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.