On Mon, 19 Jan 2004 20:02:19 +0100, Michal Zalewski said:
> How is it an issue? I think it is a feature - it is noexec that is pretty
> badly broken by design, and nearly impossible to render secure... and what
> does Linux kernel have to do with addressing it?
Well, if you consider noexec to be a feature, the /lib/ld-linux trick was a bug
in it.
In what way is it "badly broken"?
> Disclaimer: I don't have 2.6 sources at hand, maybe this is the case
> (although I somehow doubt there is a reasonable way to fix it kernel -
> how, by refusing PROT_EXEC mappings from files on noexec partitions? hope
> not).
Here's Ulrich Drepper's patch, as Linus took it:
struct rb_node ** rb_link, * rb_parent;
unsigned long charged = 0;
- if (file && (!file->f_op || !file->f_op->mmap))
- return -ENODEV;
+ if (file) {
+ if (!file->f_op || !file->f_op->mmap)
+ return -ENODEV;
+
+ if ((prot & PROT_EXEC) && (file->f_vfsmnt->mnt_flags &
MNT_NOEXEC))
+ return -EPERM;
+ }
if (!len)
return addr;
So yes, they're stomping on PROT_EXEC. The same code is also in 2.4.25-pre6.
Attachment:
pgp00039.pgp
Description: PGP signature