207020 – vDSO placement ignores exec-shield; inhibits NX simulation

Bug 207020 - vDSO placement ignores exec-shield; inhibits NX simulation

Summary: vDSO placement ignores exec-shield; inhibits NX simulation

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	6
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Ingo Molnar
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-09-18 19:48 UTC by John Reiser
Modified:	2007-11-30 22:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-10-03 00:50:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Reiser 2006-09-18 19:48:57 UTC

Description of problem: On i386, the kernel is placing the vDSO into the address
space without honoring the strategy requested by /proc/sys/kernel/exec-shield. 
Requests are: If bit 3 (value 8) is set, then just below the .text of PT_INTERP
(ld.so).  If bit 2 (value 4) is set, then just below the .text of main.  Other
combinations for just below STACKTOP, and random.  Insteasd, the observed
behavior is the vDSO is placed just below stacklimit.  On x86 that do not have
NX hardware, this means that simulating NX by reducing the segment limit of %cs
is not effective at all, because the segment limit of %cs must cover the vDSO. 
So the observed behavior cannot protect against execution on the main heap,
whereas the requested policy could.  Also, placement just below stacklimit means
that the stack never can be expanded once it is reached (no soft limit).


Version-Release number of selected component (if applicable):
kernel-2.6.17-1.2647.fc6

How reproducible:
always

Steps to Reproduce:
1. cat /proc/self/maps
2.
3.
  
Actual results:
08048000-0804d000 r-xp 00000000 03:47 1207729    /bin/cat
0804d000-0804e000 rwxp 00004000 03:47 1207729    /bin/cat
09813000-09834000 rwxp 09813000 00:00 0 
4bab1000-4baca000 r-xp 00000000 03:47 1925778    /lib/ld-2.4.90.so
4baca000-4bacb000 r-xp 00018000 03:47 1925778    /lib/ld-2.4.90.so
4bacb000-4bacc000 rwxp 00019000 03:47 1925778    /lib/ld-2.4.90.so
4c480000-4c5b7000 r-xp 00000000 03:47 1925785    /lib/libc-2.4.90.so
4c5b7000-4c5b9000 r-xp 00137000 03:47 1925785    /lib/libc-2.4.90.so
4c5b9000-4c5ba000 rwxp 00139000 03:47 1925785    /lib/libc-2.4.90.so
4c5ba000-4c5bd000 rwxp 4c5ba000 00:00 0 
b7d2a000-b7f2a000 r-xp 00000000 03:47 472129     /usr/lib/locale/locale-archive
b7f2a000-b7f2c000 rwxp b7f2a000 00:00 0 
b7f3b000-b7f3c000 r-xp b7f3b000 00:00 0          [vdso]
bfc2b000-bfc40000 rw-p bfc2b000 00:00 0          [stack]

and that is independent of /proc/sys/kernel/exec-shield (in particular, the
values 9 or 5.)

Expected results:
After "echo 9 >/proc/sys/kernel/exec-shield":
4bab0000-4bab1000 r-xp 00000000 00:00 0          [vDSO]
4bab1000-4baca000 r-xp 00000000 03:47 1925778    /lib/ld-2.4.90.so

After "echo 5 >/proc/sys/kernel/exec-shield":
08047000-08048000 r-xp 00000000 00:00 0          [vDSO]
08048000-0804d000 r-xp 00000000 03:47 1207729    /bin/cat



Additional info:
There is some history in bug #162797.  The patch was included as an update to
FC5 very shortly after final release.

Comment 1 Dave Jones 2006-10-03 00:50:03 UTC

should be fixed in todays build

Note You need to log in before you can comment on or make changes to this bug.