On Nov 16, 2012, at 9:50 AM, Thor Lancelot Simon wrote: > On Fri, Nov 16, 2012 at 11:31:20AM -0600, Eric Haszlakiewicz wrote: >> On Thu, Nov 15, 2012 at 07:39:03PM -0500, Thor Lancelot Simon wrote: >>> On Thu, Nov 15, 2012 at 05:18:04PM -0600, Eric Haszlakiewicz wrote: >>>> >>>> Well setuid executables seem like a special case, but other than that, I >>>> think I can probably manage to execute something without an exec call. >>>> In fact I know I can, just by linking against any dynamic library and >>>> calling one of the functions in it. >>> >>> You can't load a dynamic library that's on a filesystem mounted noexec. >> >> er... so the dynamic linker looks like it tries to mmap the file with execute >> permissions, and that fails, but what's to prevent me from just reading the >> file into memory and jumping to that address? I feel like I'm missing >> something here... > > If it's not mapped MAP_EXEC, you can't jump there. If you can, you either > have a hardware limitation that makes W^X impossible, or you have a pmap > bug.
Assuming the MMU h/w supports the concept of exec pages. Only recently have some ARM, MIPS, and PowerPC chips added "no-execute" support.