exec-shield broken in newer kernels?

Utz Lehmann u.lehmann at de.tecosim.com
Fri Nov 19 16:34:01 UTC 2004 

Hi

I just noticed that exec-shield looks broken in newer kernels.

All test are on i686 with disabled prelinking and
kernel.exec-shield = 1
kernel.exec-shield-randomize = 1
vm.legacy_va_layout = 0

A cat /proc/self/maps looks like this:

2.6.8-1.521smp (FC 2):
00cbf000-00cd4000 r-xp 00000000 03:02 327682     /lib/ld-2.3.3.so
00cd4000-00cd5000 r--p 00014000 03:02 327682     /lib/ld-2.3.3.so
00cd5000-00cd6000 rw-p 00015000 03:02 327682     /lib/ld-2.3.3.so
00dad000-00ec3000 r-xp 00000000 03:02 229387     /lib/tls/libc-2.3.3.so
00ec3000-00ec4000 r--p 00116000 03:02 229387     /lib/tls/libc-2.3.3.so
00ec4000-00ec7000 rw-p 00117000 03:02 229387     /lib/tls/libc-2.3.3.so
00ec7000-00ec9000 rw-p 00ec7000 00:00 0 
08048000-0804c000 r-xp 00000000 03:02 459964     /bin/cat
0804c000-0804d000 rw-p 00003000 03:02 459964     /bin/cat
09dc8000-09de9000 rw-p 09dc8000 00:00 0 
f6dc4000-f6dc5000 r--p 00b1e000 03:02 475909     /usr/lib/locale/locale-archive
f6dc5000-f6df8000 r--p 00aea000 03:02 475909     /usr/lib/locale/locale-archive
f6df8000-f6ff8000 r--p 00000000 03:02 475909     /usr/lib/locale/locale-archive
f6ff8000-f6ff9000 rw-p f6ff8000 00:00 0 
feee0000-ff000000 rw-p feee0000 00:00 0 
ffffd000-ffffe000 ---p 00000000 00:00 0 

This is the familiar behavior. Only the exec mapping have the x bit and they
are randomized. The shared libs are placed under the binary.


2.6.9-1.667smp (FC 3):
00111000-00112000 r-xp 00a46000 03:01 640087     /usr/lib/locale/locale-archive
00112000-00113000 r-xp 00a99000 03:01 640087     /usr/lib/locale/locale-archive
002ef000-00304000 r-xp 00000000 03:01 704213     /lib/ld-2.3.3.so
00304000-00305000 r-xp 00014000 03:01 704213     /lib/ld-2.3.3.so
00305000-00306000 rwxp 00015000 03:01 704213     /lib/ld-2.3.3.so
00485000-00685000 r-xp 00000000 03:01 640087     /usr/lib/locale/locale-archive
0079c000-008bd000 r-xp 00000000 03:01 704943     /lib/tls/libc-2.3.3.so
008bd000-008bf000 r-xp 00120000 03:01 704943     /lib/tls/libc-2.3.3.so
008bf000-008c1000 rwxp 00122000 03:01 704943     /lib/tls/libc-2.3.3.so
008c1000-008c3000 rwxp 008c1000 00:00 0 
009e8000-009e9000 rwxp 009e8000 00:00 0 
00d8b000-00dbd000 r-xp 00a12000 03:01 640087     /usr/lib/locale/locale-archive
00f85000-00fb9000 r-xp 00a64000 03:01 640087     /usr/lib/locale/locale-archive
08048000-0804c000 r-xp 00000000 03:01 441615     /bin/cat
0804c000-0804d000 rwxp 00003000 03:01 441615     /bin/cat
0804d000-0806e000 rwxp 0804d000 00:00 0 
feffe000-ff000000 rw-p feffe000 00:00 0 
ffffe000-fffff000 ---p 00000000 00:00 0 

Here all mappings except the stack have the x bit and they are randomized. I
think this will cause that the local-archive mappings are placed under the
binary too.


2.6.9-1.678_FC3 (FC 3):
08048000-0804c000 r-xp 00000000 03:01 6296799    /bin/cat
0804c000-0804d000 rwxp 00003000 03:01 6296799    /bin/cat
0804d000-0806e000 rwxp 0804d000 00:00 0 
f6c37000-f6c38000 r-xp 00b71000 03:01 27280385   /usr/lib/locale/locale-archive
f6c38000-f6c6c000 r-xp 00b3c000 03:01 27280385   /usr/lib/locale/locale-archive
f6c6c000-f6c6d000 r-xp 00b1e000 03:01 27280385   /usr/lib/locale/locale-archive
f6c6d000-f6c9f000 r-xp 00aea000 03:01 27280385   /usr/lib/locale/locale-archive
f6c9f000-f6e9f000 r-xp 00000000 03:01 27280385   /usr/lib/locale/locale-archive
f6e9f000-f6ea0000 rwxp f6e9f000 00:00 0 
f6ea0000-f6fc1000 r-xp 00000000 03:01 31481922   /lib/tls/libc-2.3.3.so
f6fc1000-f6fc3000 r-xp 00120000 03:01 31481922   /lib/tls/libc-2.3.3.so
f6fc3000-f6fc5000 rwxp 00122000 03:01 31481922   /lib/tls/libc-2.3.3.so
f6fc5000-f6fc7000 rwxp f6fc5000 00:00 0 
f6fe9000-f6ffe000 r-xp 00000000 03:01 16798526   /lib/ld-2.3.3.so
f6ffe000-f6fff000 r-xp 00014000 03:01 16798526   /lib/ld-2.3.3.so
f6fff000-f7000000 rwxp 00015000 03:01 16798526   /lib/ld-2.3.3.so
feffe000-ff000000 rw-p feffe000 00:00 0 
ffffe000-fffff000 ---p 00000000 00:00 0 

Here all mappings including the executable mapping are placed top down. Only
the stack doesn't have the x bit and there is no randomization at all.
I think here is exec-shield mostly not working (except the non-exec stack).
With a segment based executable protection (no NX bit) the addressspace is
up to 0xf7000000 executable.


utz

More information about the fedora-devel-list mailing list