Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2

From: Marc Bevand
Date: Fri Jun 11 2004 - 04:54:42 EST

Next message: Takashi Iwai: "Re: ALSA burps, 2.6.7-rc2 VIA VT8233"
Previous message: Pavel Machek: "Re: Fix memory leak in swsusp"
In reply to: Robert White: "RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Next in thread: Jesper Juhl: "RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Robert White wrote:

You are missing the model:

To enable executable stack/heap you would:

if ((fd = open("/proc/self/NX",O_RDWR)) >= 0) {
write(fd,"1",1);
close(fd);
}

(disabling would be symmetric with "0")

Because this is a sequence of specific instructions (that shouldn't exist in the
default library to prevent stack return hack invocation) these instructions would
exist only in programs that want to be EX anyway.

Even such a protection model (a sequence of 3 syscalls to enable or
disable NX) can be easily bypassed by an attacker. The classic method
of return-into-libc (with a small variation that I would call
chained-returns-into-libc) still works.

As other people already said on this list: the ability to disable NX
is a *bad* thing for security.

--
Marc Bevand http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Takashi Iwai: "Re: ALSA burps, 2.6.7-rc2 VIA VT8233"
Previous message: Pavel Machek: "Re: Fix memory leak in swsusp"
In reply to: Robert White: "RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Next in thread: Jesper Juhl: "RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]