Date: Wed, 20 Oct 2004 20:23:00 +0300
From: Sami Farin <7atbggg02@sneakemail.com>
To: linux-kernel@vger.kernel.org
Subject: Re: [patch] exec-shield-nx-2.6.9-A1
Message-ID: <20041020172300.GA7608@m.safari.iki.fi>
Mail-Followup-To: linux-kernel@vger.kernel.org
References: <20041017095343.GA7976@elte.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041017095343.GA7976@elte.hu>
User-Agent: Mutt/1.5.6i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 3384
Lines: 82

On Sun, Oct 17, 2004 at 11:53:43AM +0200, Ingo Molnar wrote:
> 
> i've released the latest exec-shield patch:
> 
>    http://redhat.com/~mingo/exec-shield/exec-shield-nx-2.6.9-A1
> 
> this is a merge of the exec-shield patches used in FC2/FC3 to mainline.
> (The patch is smaller than earlier exec-shield patches or the 2.4 patch
> because a sub-functionality related to exec-shield (flexmmap) got merged
> to 2.6.9.)
> 
> This version of exec-shield makes use of NX too, if available (and PAE),
> and falls back to the segment-limit method on CPUs that have no NX.

Well, I tried it.
Can you tell am I doing something wrong?
 
Without any special flags into paxtest-0.9.6 [1] Makefile.generic
I get "Vulnerable" and "No randomisation" for all of the tests.

When I add "-fPIC":
Executable shared library bss            : Killed
Executable shared library data           : Killed
When I add "-fomit-frame-pointer" (!!?):
Executable stack                         : Killed

Also, sbrk(0) always returns 0x804a000.

non-NX UP i386 (Celeron Mendocino), gcc-3.4.2
(gcc-2.95.3 used for the kernel),
Fedora's binutils-2.15.92.0.2-4 and glibc-2.3.3-67,
exec-shield-nx-2.6.9-A2, Linux-2.6.9, .config at
http://safari.iki.fi/config-2.6.9-20041020-1.txt

Previous attempt: with 2.6.9-rc4 + linux-2.6.0-exec-shield.patch +
4G4G patches from Fedora's kernel-2.6.8-1.603 I had _some_ working
randomisations:
Anonymous mapping randomisation test     : 12 bits (guessed)
Heap randomisation test (ET_EXEC)        : No randomisation
Heap randomisation test (ET_DYN)         : 12 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 12 bits (guessed)
Shared library randomisation test        : No randomisation
Stack randomisation test (SEGMEXEC)      : No randomisation
Stack randomisation test (PAGEEXEC)      : No randomisation

Without 4G4G patches none of the randomisations were working (!!?).

$ cat /proc/sys/kernel/exec-shield{,-randomize}
2
1

$ cat /proc/self/maps 
03bc7000-03bdc000 r-xp 00000000 16:46 399658     /lib/ld-2.3.3.so
03bdc000-03bdd000 r-xp 00014000 16:46 399658     /lib/ld-2.3.3.so
03bdd000-03bde000 rwxp 00015000 16:46 399658     /lib/ld-2.3.3.so
03c69000-03d88000 r-xp 00000000 16:46 399659     /lib/tls/libc-2.3.3.so
03d88000-03d89000 ---p 0011f000 16:46 399659     /lib/tls/libc-2.3.3.so
03d89000-03d8b000 r-xp 0011f000 16:46 399659     /lib/tls/libc-2.3.3.so
03d8b000-03d8d000 rwxp 00121000 16:46 399659     /lib/tls/libc-2.3.3.so
03d8d000-03d8f000 rwxp 03d8d000 00:00 0 
08048000-0804c000 r-xp 00000000 16:46 398963     /bin/cat
0804c000-0804d000 rwxp 00004000 16:46 398963     /bin/cat
0804d000-0806e000 rwxp 0804d000 00:00 0 
b7ddf000-b7de0000 r-xp 0077d000 16:03 441105     /usr/lib/locale/locale-archive
b7de0000-b7fe0000 r-xp 00000000 16:03 441105     /usr/lib/locale/locale-archive
b7fe0000-b7fe1000 rwxp b7fe0000 00:00 0 
bfffd000-c0000000 rw-p bfffd000 00:00 0 
ffffe000-fffff000 ---p 00000000 00:00 0 

(output is always the same)

[1] ftp://ftp.fi.debian.org/pub/debian/pool/main/p/paxtest/paxtest_0.9.6.orig.tar.gz
    + paxtest_0.9.6-2.diff.gz

-- 

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/