Bug#514288: stock debian kernels map heap, data, and other sections as rwx
On Thu, 2009-02-05 at 15:44 -0800, tgo wrote: Package: linux-image-2.6.24-e Version: 2.6.24-6~etchnhalf.7 On both vmlinuz-2.6.18-5-686 and vmlinuz-2.6.24-etchnhalf.1-686 kernels, the debian system maps the heap, binary data, and other data sections as rwx, instead of the normal and sensible rw-. This is a hardware limitation of i386 page tables - these permissions cannot be set independently. To overcome this limitation, you need a kernel that uses PAE page tables (-686-bigmem or -amd64 flavour) and a processor that supports the NX flag (look for nx on the flags line in /proc/cpuinfo). Ben. signature.asc Description: This is a digitally signed message part
Bug#514288: stock debian kernels map heap, data, and other sections as rwx
Package: linux-image-2.6.24-e Version: 2.6.24-6~etchnhalf.7 On both vmlinuz-2.6.18-5-686 and vmlinuz-2.6.24-etchnhalf.1-686 kernels, the debian system maps the heap, binary data, and other data sections as rwx, instead of the normal and sensible rw-. Examples: grep rwx /proc/1/maps 0805-08051000 rwxp 7000 08:01 48968 /sbin/init 08051000-08072000 rwxp 08051000 00:00 0 [heap] b7d88000-b7d89000 rwxp b7d88000 00:00 0 b7d8b000-b7d8d000 rwxp 1000 08:01 375948 /lib/tls/i686/cmov/libdl-2.3.6.so b7eb9000-b7ebb000 rwxp 0012c000 08:01 375945 /lib/tls/i686/cmov/libc-2.3.6.so b7ebb000-b7ebf000 rwxp b7ebb000 00:00 0 b7ed2000-b7ed4000 rwxp 00012000 08:01 359138 /lib/libselinux.so.1 b7f0a000-b7f0b000 rwxp 00035000 08:01 359139 /lib/libsepol.so.1 b7f0b000-b7f15000 rwxp b7f0b000 00:00 0 b7f19000-b7f1b000 rwxp b7f19000 00:00 0 b7f3-b7f32000 rwxp 00014000 08:01 360971 /lib/ld-2.3.6.so -- pidof sshd 2807 2804 2692 debian-vmware:/home/x# grep -c rwx /proc/2807/maps 44 It seems incorrect and also very bad from a security standpoint to have this behavior. I am aware that the kernel does not ask for these mappings to be created, but it also should enforce some sort of W^X behavior. The loader or whichever userland application that asks for the mappings should also be alterted to follow the normal memory permission standards.
