[patch] updated exec-shield patch, 2.4/2.6 -G3

From: Ingo Molnar
Date: Fri Sep 26 2003 - 07:29:34 EST



in the recent boom of buffer-overflow bugs in various open-source packages
i got lots of requests for exec-shield being ported to various popular
kernel trees. Here's the latest update of exec-shield:

against vanilla 2.6.0-test5:

redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-G2

against vanilla 2.4.22:

redhat.com/~mingo/exec-shield/exec-shield-2.4.22-G2

against 2.4.22-ac + NPTL:

[ redhat.com/~mingo/nptl-patches/nptl-2.4.22-ac1-A2 ]

redhat.com/~mingo/exec-shield/exec-shield-2.4.22-ac1-nptl-G2

Changes in this exec-shield version:

- more refined support for PIE binaries (Position Independent Executables
- a feature of latest binutils)

- complete randomization of the whole address space [except the static
binary mappings for non-PIE binaries]. Randomized executable mappings,
heap, data mappings, stack, env/argv/aux spaces. With PIE binaries
there's not a single constant address left.

- ability to turn off exec-shield without changing the binary.
(try 'setarch i386 /bin/cat /proc/self/maps'.)

- various compatibility features and fixes.

- randomization can be turned off via /proc/sys/kernel/exec-shield-randomize.

valid /proc/sys/kernel/exec-shield levels are:

= 0 exec-shield disabled
= 1 exec-shield on PT_GNU_STACK executables [ie. binaries compiled
with newest gcc]
= 2 (default) exec-shield on all executables

value 1 is recommended with glibc and gcc versions that support
PT_GNU_STACK all across the spectrum. (Fedora Core test2 [released
yesterday] includes all of this and all applications were recompiled to
have valid PT_GNU_STACK settings.) On other systems the value of '2' is
recommended, use setarch for those binaries that cannot take exec-shield
[eg. Loki games].

reports, comments welcome. Enjoy it,

Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/