Description of problem: Exec-Shield not found in Fedora 19, using sysctl -a |grep -i exec I can't see exec shield. SELinux enabled and a default installation of Fedora 19, can't stop a Stack Smashing. If I compile this code: #include <string.h> int main(int ac, char **av) { char buf[10]; strcpy(buf, av[1]); return buf[5]; } And run it with more than 10 chars, I obtain a segfault. Theoretically exec-shield and SELinux and PAE kernel, stop it, but not. Using a custom vanilla kernel + grsec I can stop this, and the execution stop with "killed", while in a Fedora 19 stock PAE kernel, no. The box have a NX capable CPU with pae instruction. Version-Release number of selected component (if applicable): Fedora 19 xfce up to date. How reproducible: Always Steps to Reproduce: 1.Install Fedora 19 with PAE kernel in a capable CPU 2.Compile the code mentioned and run it ./foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 3.A segfault is generated and a possible shellcode insertion. While PaX + grsecurity patch prevent it and kill it. Actual results: Fedora 19 is vulnerable to exploits that uses a bad programation in any software. Expected results: Add support to Fedora for stop Stack Smashing Additional info: CPU flags: flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm ida dtherm tpr_shadow vnmi flexpriority
Fedora makes use of NX bit automatically when it is available. $ dmesg | grep protection Sep 2 13:56:48 hostname kernel: [ 0.000000] NX (Execute Disable) protection: active ... Additionally, see https://bugzilla.redhat.com/show_bug.cgi?id=163735 On Fedora 19, $ cat /proc/sys/kernel/randomize_va_space 2 (this is the "strongest" possible ASLR setting) ... I think that this code is *not* exploitable on modern Fedora systems without *disabling* lot of the protections we have enabled by *default*. That being said, we are always working on enabling new hardening features. e.g. https://fedorahosted.org/fesco/ticket/1153
Also, the exec-shield sysrq isn't present because we no longer carry the out-of-tree execshield patch. That patch isn't needed on systems that support NX. Overwriting the stack, as your testcase does, generates a SEGFAULT as expected. If you want stack smashing protection, you should compile with -fstack-protector. Most code in Fedora is compiled with that.