Bug 207020 - vDSO placement ignores exec-shield; inhibits NX simulation
vDSO placement ignores exec-shield; inhibits NX simulation
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Ingo Molnar
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-18 15:48 EDT by John Reiser
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-02 20:50:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Reiser 2006-09-18 15:48:57 EDT
Description of problem: On i386, the kernel is placing the vDSO into the address
space without honoring the strategy requested by /proc/sys/kernel/exec-shield. 
Requests are: If bit 3 (value 8) is set, then just below the .text of PT_INTERP
(ld.so).  If bit 2 (value 4) is set, then just below the .text of main.  Other
combinations for just below STACKTOP, and random.  Insteasd, the observed
behavior is the vDSO is placed just below stacklimit.  On x86 that do not have
NX hardware, this means that simulating NX by reducing the segment limit of %cs
is not effective at all, because the segment limit of %cs must cover the vDSO. 
So the observed behavior cannot protect against execution on the main heap,
whereas the requested policy could.  Also, placement just below stacklimit means
that the stack never can be expanded once it is reached (no soft limit).


Version-Release number of selected component (if applicable):
kernel-2.6.17-1.2647.fc6

How reproducible:
always

Steps to Reproduce:
1. cat /proc/self/maps
2.
3.
  
Actual results:
08048000-0804d000 r-xp 00000000 03:47 1207729    /bin/cat
0804d000-0804e000 rwxp 00004000 03:47 1207729    /bin/cat
09813000-09834000 rwxp 09813000 00:00 0 
4bab1000-4baca000 r-xp 00000000 03:47 1925778    /lib/ld-2.4.90.so
4baca000-4bacb000 r-xp 00018000 03:47 1925778    /lib/ld-2.4.90.so
4bacb000-4bacc000 rwxp 00019000 03:47 1925778    /lib/ld-2.4.90.so
4c480000-4c5b7000 r-xp 00000000 03:47 1925785    /lib/libc-2.4.90.so
4c5b7000-4c5b9000 r-xp 00137000 03:47 1925785    /lib/libc-2.4.90.so
4c5b9000-4c5ba000 rwxp 00139000 03:47 1925785    /lib/libc-2.4.90.so
4c5ba000-4c5bd000 rwxp 4c5ba000 00:00 0 
b7d2a000-b7f2a000 r-xp 00000000 03:47 472129     /usr/lib/locale/locale-archive
b7f2a000-b7f2c000 rwxp b7f2a000 00:00 0 
b7f3b000-b7f3c000 r-xp b7f3b000 00:00 0          [vdso]
bfc2b000-bfc40000 rw-p bfc2b000 00:00 0          [stack]

and that is independent of /proc/sys/kernel/exec-shield (in particular, the
values 9 or 5.)

Expected results:
After "echo 9 >/proc/sys/kernel/exec-shield":
4bab0000-4bab1000 r-xp 00000000 00:00 0          [vDSO]
4bab1000-4baca000 r-xp 00000000 03:47 1925778    /lib/ld-2.4.90.so

After "echo 5 >/proc/sys/kernel/exec-shield":
08047000-08048000 r-xp 00000000 00:00 0          [vDSO]
08048000-0804d000 r-xp 00000000 03:47 1207729    /bin/cat



Additional info:
There is some history in bug #162797.  The patch was included as an update to
FC5 very shortly after final release.
Comment 1 Dave Jones 2006-10-02 20:50:03 EDT
should be fixed in todays build

Note You need to log in before you can comment on or make changes to this bug.