I'm reading Ingo's NX quick start document:
http://people.redhat.com/mingo/nx-patches/QuickStart-NX.txt
Quote:
"If an application defines a noexec stack then the kernel will enforce
this executability, and all attempts to execute on the stack will be
prevented by the hardware."
My question is related to the conditional "if an application". So it
looks like it depends on the app.
Now, the OS/hardware combination that I'm using (RHEL4 WS 32 bit on
AMD64 CPU - long story, don't ask) definitely enables NX:
# grep -i nx /var/log/dmesg
NX (Execute Disable) protection: active
But it's running a Web service which is a combination of C code and
Tomcat/Java. I have no clue how to determine which portions specify a
noexec stack and which don't.
In case it turns out some portions do not specify a noexec stack, my
next question is how to get the application to create a noexec stack
(assume I can make that request to the developers).
(please do NOT Cc me, I'm subscribed to the list)
--
Florin Andrei
http://florin.myip.org/
> But it's running a Web service which is a combination of C code and
> Tomcat/Java. I have no clue how to determine which portions specify a
> noexec stack and which don't.
>
> In case it turns out some portions do not specify a noexec stack, my
> next question is how to get the application to create a noexec stack
> (assume I can make that request to the developers).
like this:
$ eu-readelf -l /bin/true | grep STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
(replace /bin/true with the binary or library you want to check)
if it says "RW" like here, it'll have non-executable stack. If it says
"RWX" or if this line is absent entirely, the stack will be executable.
Arjan van de Ven <[email protected]> writes:
> like this:
>
> $ eu-readelf -l /bin/true | grep STACK
> GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
>
>
> (replace /bin/true with the binary or library you want to check)
>
> if it says "RW" like here, it'll have non-executable stack. If it says
> "RWX" or if this line is absent entirely, the stack will be executable.
The last part is not true. Some architectures (especially newer ones)
default to non-exec stack. The absense of a GNU_STACK header represents
the default.
Andreas.
--
Andreas Schwab, SuSE Labs, [email protected]
SuSE Linux Products GmbH, Maxfeldstra?e 5, 90409 N?rnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
On Sat, 2007-06-30 at 00:15 +0200, Andreas Schwab wrote:
> Arjan van de Ven <[email protected]> writes:
>
> > like this:
> >
> > $ eu-readelf -l /bin/true | grep STACK
> > GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
> >
> >
> > (replace /bin/true with the binary or library you want to check)
> >
> > if it says "RW" like here, it'll have non-executable stack. If it says
> > "RWX" or if this line is absent entirely, the stack will be executable.
>
> The last part is not true. Some architectures (especially newer ones)
> default to non-exec stack. The absense of a GNU_STACK header represents
> the default.
ok you're right; powerpc64 defaults to non-executable stack
(all others default to executable stack)
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org
Arjan van de Ven <[email protected]> writes:
> (all others default to executable stack)
Except ia64.
Andreas.
--
Andreas Schwab, SuSE Labs, [email protected]
SuSE Linux Products GmbH, Maxfeldstra?e 5, 90409 N?rnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
On Sat, 2007-06-30 at 00:41 +0200, Andreas Schwab wrote:
> Arjan van de Ven <[email protected]> writes:
>
> > (all others default to executable stack)
>
> Except ia64.
for ia64 it depends on the personality actually .. just to make it more
complex.
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org
Arjan van de Ven wrote:
>> But it's running a Web service which is a combination of C code and
>> Tomcat/Java. I have no clue how to determine which portions specify a
>> noexec stack and which don't.
>
> like this:
>
> $ eu-readelf -l /bin/true | grep STACK
> GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
Is Sun Java 1.5 a known exception - as an application that doesn't set a
noexec stack and reverts to default?
# eu-readelf -l ./java | grep STACK | wc -l
0
But then, this bug report seems to indicate otherwise, if I'm reading it
correctly:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5051381
--
Florin Andrei
http://florin.myip.org/
On Fri, 2007-06-29 at 18:21 -0700, Florin Andrei wrote:
> Arjan van de Ven wrote:
> >> But it's running a Web service which is a combination of C code and
> >> Tomcat/Java. I have no clue how to determine which portions specify a
> >> noexec stack and which don't.
> >
> > like this:
> >
> > $ eu-readelf -l /bin/true | grep STACK
> > GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
>
> Is Sun Java 1.5 a known exception - as an application that doesn't set a
> noexec stack and reverts to default?
>
> # eu-readelf -l ./java | grep STACK | wc -l
> 0
>
> But then, this bug report seems to indicate otherwise, if I'm reading it
> correctly:
>
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5051381
that's not a mainline kernel; and I don't rule out that early RHEL3
versions had a 64/32 bug in this area
>
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org