Re: linux bugs (survival stories)?

[Valdis.Kletnieks () vt edu]

On Wed, 13 Apr 2005 01:41:03 BST, pageexec () freemail hu said:
> the real problem with the current linux noexec mount handling is
> that by not restricting mprotect one can just construct an ELF file
> that when mmap'ed will overlap the stack and call mprotect and
> execute your code, effectively circumventing this measure (there was
> a longish thread on this topic last May on dailydave), this gives
> you a false sense of security only, not security. without such a
> restriction a sysadmin cannot enforce a W^X policy at the file
> system level. NetBSD (maybe the others as well, i didn't check)
> and PaX both forbid mprotect(PROT_EXEC) on noexec mounts for this
> reason.

Now this, unlike the /lib/ld-linux.so hack, is a still-existing issue.

However, this is getting rather far afield, because:

1) This is quite arguably a "design decision" rather than an outright bug.

2) Whether it's a bug or not, it only impacts userspace security - and we
started off discussing protecting the kernel itself from kernel bugs....

(Not that I'm adverse to a thread on "what the kernel could do to harden
userspace" - but somebody needs to change the Subject: line if we go that way...)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/