2004-10-17 09:52:36

by Ingo Molnar

[permalink] [raw]
Subject: [patch] exec-shield-nx-2.6.9-A1


i've released the latest exec-shield patch:

http://redhat.com/~mingo/exec-shield/exec-shield-nx-2.6.9-A1

this is a merge of the exec-shield patches used in FC2/FC3 to mainline.
(The patch is smaller than earlier exec-shield patches or the 2.4 patch
because a sub-functionality related to exec-shield (flexmmap) got merged
to 2.6.9.)

This version of exec-shield makes use of NX too, if available (and PAE),
and falls back to the segment-limit method on CPUs that have no NX.

Ingo


2004-10-17 20:19:03

by Albert Cahalan

[permalink] [raw]
Subject: Re: [patch] exec-shield-nx-2.6.9-A1

You have some bits in this patch that don't belong.
They aren't even conditional on a config option or
sysctl value.

First, you change the permission on the /proc/*/maps file.
Normally a remote attacker is unable to read this anyway,
and a local setuid attack has time to try until success.
Changing the permission might be a good idea, mostly
because it exposes filenames, but it should be a separate
patch.

Second, you restrict wchan. Oddly, you don't allow for
the target task's euid to play a role, and you chose the
CAP_SYS_NICE bit instead of some other bit. Huh? One might
guess from CAP_SYS_NICE that the feature has now become
hopelessly slow. Same as with the maps file, this should
be a separate patch.




2004-10-17 20:31:55

by Ingo Molnar

[permalink] [raw]
Subject: Re: [patch] exec-shield-nx-2.6.9-A1


* Albert Cahalan <[email protected]> wrote:

> You have some bits in this patch that don't belong.
> They aren't even conditional on a config option or
> sysctl value.

maybe you misunderstood my mail. This was an announcement for
exec-shield users. You can safely ignore it.

> [...] One might guess from CAP_SYS_NICE that the feature has now
> become hopelessly slow. [...]

(thank you for the kind words, it is always heartening to read your
mails! I too wish you good luck with your projects.)

Ingo

2004-10-17 23:20:22

by Albert Cahalan

[permalink] [raw]
Subject: Re: [patch] exec-shield-nx-2.6.9-A1

On Sun, 2004-10-17 at 16:30, Ingo Molnar wrote:

> > [...] One might guess from CAP_SYS_NICE that the feature has now
> > become hopelessly slow. [...]
>
> (thank you for the kind words, it is always heartening to read your
> mails! I too wish you good luck with your projects.)

:-)

Well, CAP_SYS_NICE does kind of imply that there is
an issue with CPU time, doesn't it? I didn't see any
code that would change performance, so I suppose you
figure that wchan is already too slow?

CAP_SYS_ADMIN is the misc. dumping ground normally.



2004-10-20 17:29:42

by Sami Farin

[permalink] [raw]
Subject: Re: [patch] exec-shield-nx-2.6.9-A1

On Sun, Oct 17, 2004 at 11:53:43AM +0200, Ingo Molnar wrote:
>
> i've released the latest exec-shield patch:
>
> http://redhat.com/~mingo/exec-shield/exec-shield-nx-2.6.9-A1
>
> this is a merge of the exec-shield patches used in FC2/FC3 to mainline.
> (The patch is smaller than earlier exec-shield patches or the 2.4 patch
> because a sub-functionality related to exec-shield (flexmmap) got merged
> to 2.6.9.)
>
> This version of exec-shield makes use of NX too, if available (and PAE),
> and falls back to the segment-limit method on CPUs that have no NX.

Well, I tried it.
Can you tell am I doing something wrong?

Without any special flags into paxtest-0.9.6 [1] Makefile.generic
I get "Vulnerable" and "No randomisation" for all of the tests.

When I add "-fPIC":
Executable shared library bss : Killed
Executable shared library data : Killed
When I add "-fomit-frame-pointer" (!!?):
Executable stack : Killed

Also, sbrk(0) always returns 0x804a000.

non-NX UP i386 (Celeron Mendocino), gcc-3.4.2
(gcc-2.95.3 used for the kernel),
Fedora's binutils-2.15.92.0.2-4 and glibc-2.3.3-67,
exec-shield-nx-2.6.9-A2, Linux-2.6.9, .config at
http://safari.iki.fi/config-2.6.9-20041020-1.txt

Previous attempt: with 2.6.9-rc4 + linux-2.6.0-exec-shield.patch +
4G4G patches from Fedora's kernel-2.6.8-1.603 I had _some_ working
randomisations:
Anonymous mapping randomisation test : 12 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : 12 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 12 bits (guessed)
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : No randomisation

Without 4G4G patches none of the randomisations were working (!!?).

$ cat /proc/sys/kernel/exec-shield{,-randomize}
2
1

$ cat /proc/self/maps
03bc7000-03bdc000 r-xp 00000000 16:46 399658 /lib/ld-2.3.3.so
03bdc000-03bdd000 r-xp 00014000 16:46 399658 /lib/ld-2.3.3.so
03bdd000-03bde000 rwxp 00015000 16:46 399658 /lib/ld-2.3.3.so
03c69000-03d88000 r-xp 00000000 16:46 399659 /lib/tls/libc-2.3.3.so
03d88000-03d89000 ---p 0011f000 16:46 399659 /lib/tls/libc-2.3.3.so
03d89000-03d8b000 r-xp 0011f000 16:46 399659 /lib/tls/libc-2.3.3.so
03d8b000-03d8d000 rwxp 00121000 16:46 399659 /lib/tls/libc-2.3.3.so
03d8d000-03d8f000 rwxp 03d8d000 00:00 0
08048000-0804c000 r-xp 00000000 16:46 398963 /bin/cat
0804c000-0804d000 rwxp 00004000 16:46 398963 /bin/cat
0804d000-0806e000 rwxp 0804d000 00:00 0
b7ddf000-b7de0000 r-xp 0077d000 16:03 441105 /usr/lib/locale/locale-archive
b7de0000-b7fe0000 r-xp 00000000 16:03 441105 /usr/lib/locale/locale-archive
b7fe0000-b7fe1000 rwxp b7fe0000 00:00 0
bfffd000-c0000000 rw-p bfffd000 00:00 0
ffffe000-fffff000 ---p 00000000 00:00 0

(output is always the same)

[1] ftp://ftp.fi.debian.org/pub/debian/pool/main/p/paxtest/paxtest_0.9.6.orig.tar.gz
+ paxtest_0.9.6-2.diff.gz

--