Bug 109918
Summary: | executable code in .data in ld.so renders system unusable for PaX users | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | PaX Team <pageexec> |
Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 9 | CC: | fweimer |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
URL: | ftp://updates.redhat.com/9/en/os/i686/glibc-2.3.2-27.9.6.i686.rpm | ||
Whiteboard: | |||
Fixed In Version: | 2.3.2-27.9.7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-11-13 21:51:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
PaX Team
2003-11-12 23:05:17 UTC
Work around that I found if you have a custom kernel. Boot into a Red Hat standard kernel and force install glibc-2.3.2-27.9.6.i386.rpm and then reboot into your custom kernel. The version 2.3.2-27.9.7 is working except for /usr/sbin/iconvconfig (glibc-2.3.2-27.9.7.i686.rpm) Nov 13 08:29:24 goliath kernel: PAX: terminating task: /usr/sbin/iconvconfig(iconvconfig):3078, uid/euid: 0/0, PC: 5eed1030, SP: 5eed0f3c Nov 13 08:29:24 goliath kernel: PAX: bytes at PC: b9 90 10 ed 5e e9 36 8a 17 a9 ed 5e 7f 98 04 08 f8 d8 07 08 look like it break the install of the rpm in the %post section error: %post(glibc-2.3.2-27.9.7) scriptlet failed, exit status 115 If PaX doesn't handle programs using nested functions whose address is taken, then it is broken IMHO. See Exec-Shield in Fedora Core 1 for a (better) alternative. PaX handles nested function trampolines by emulating them however this requires that users explicitly enable this feature (both in the kernel .config and on affected binaries). Work is in progress to do this automatically based on the PT_GNU_STACK marking (note that this particular series of glibc releases does not carry such markings so they would still require user intervention). The suggested alternative is not acceptable to PaX users because of its lesser security features, also it is an apples to oranges comparison as iconvconfig in Fedora has been explicitly modified to not use nested functions (see the move of iconv/iconvconfig.c:name_insert() in glibc-redhat.patch), obviously that will work with a non-executable stack, be that provided by Exec- Shield or PaX. iconvconfig in Fedora doesn't use trampolines simply because I needed that patch when Exec-Shield did not honor PT_GNU_STACK yet. But as iconvconfig is single threaded, it really doesn't have to use the trampolines, so I kept the patch. It would work just fine even without it though in FC1. |