Re: Security question: "Text file busy" overwriting executables but not shared libraries?

From: Rob Landley (landley@trommello.org)
Date: Wed Oct 03 2001 - 18:20:39 EST

Next message: Stephen Torri: "Unresolved modules 2.4.10-ac4"
Previous message: Andreas Dilger: "Re: [linux-lvm] Re: partition table read incorrectly"
In reply to: Eric W. Biederman: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Next in thread: Eric W. Biederman: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Reply: Eric W. Biederman: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Reply: Linus Torvalds: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 03 October 2001 14:06, Eric W. Biederman wrote:

> > But not modify a busy executable.
>
> Have ld-linux.so set the MAP_DENYWRITE bit when it is mapping
> the library.

And of course since the FSF wrote it, it's not quite that simple...

>/* The right way to map in the shared library files is MAP_COPY, which
> makes a virtual copy of the data at the time of the mmap call; this
> guarantees the mapped pages will be consistent even if the file is
> overwritten. Some losing VM systems like Linux's lack MAP_COPY. All we
> get is MAP_PRIVATE, which copies each page when it is modified; this
> means if the file is overwritten, we may at some point get some pages
> from the new version after starting with pages from the old version. */

I.E. it seems like they go out of their way to ALLOW writing to the libaries.
(I assume they KNOW the difference between MAP_DENYWRITE, MAP_COPY, and
MAP_PRIVATE...?)

This look right to anybody else? Or am I about to wander into weird
side-effect land? (Is there a reason they DON'T want a read-only mapping?
Are they writing data into those pages, perhaps doing the linking fixup
stuff? What?)

--- elf/dl-load.bak Wed Oct 3 18:53:37 2001
+++ elf/dl-load.c Wed Oct 3 18:55:57 2001
@@ -48,7 +48,7 @@
means if the file is overwritten, we may at some point get some pages
from the new version after starting with pages from the old version. */
#ifndef MAP_COPY
-# define MAP_COPY MAP_PRIVATE
+# define MAP_COPY MAP_DENYWRITE
#endif

/* Some systems link their relocatable objects for another base address

I should just try this and see what it does. On a machine I don't mind
reinstalling from scratch. Which means I need to dig up a spare keyboard for
my junk machine... (And figure out how to get glibc's ./configure script to
realise that linuxthreads is, in fact, there in the source directory. It's
right there. Use it. Don't yell at me it's not there. I didn't make this
SRPM, I changed one line... Sigh...)

In the morning...

Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Torri: "Unresolved modules 2.4.10-ac4"
Previous message: Andreas Dilger: "Re: [linux-lvm] Re: partition table read incorrectly"
In reply to: Eric W. Biederman: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Next in thread: Eric W. Biederman: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Reply: Eric W. Biederman: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Reply: Linus Torvalds: "Re: Security question: "Text file busy" overwriting executables but not shared libraries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Oct 07 2001 - 21:00:30 EST