[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: [gentoo-security] pax and objc]
From: |
pageexec |
Subject: |
Re: [Fwd: [gentoo-security] pax and objc] |
Date: |
Thu, 01 Jul 2004 20:49:08 +0200 |
> One piece of feedback was that Objective-C doesn't play well with pax.
> I'm not exactly sure what pax is. So, if anyone knows:
http://pax.grsecurity.net/ for a start (docs in particular)
in short, it's a sort of intrusion prevention patch/mechanism,
tailored at preventing memory corruption bug related exploits.
one mechanism is the control of runtime code generation which
is most likely what obj-c ran into.
> - What is the nature of the problem between pax and Objective-C? (I'm
> assuming it's going to have something to do with the library or the
> runtime, and whatever protection PAX is supposed to offer for
> stack/heap breakage.)
the default setup of PaX forbids runtime code generation (because
this is the privilege that the most used exploit technique needs
as well), so any attempt by an application will result in its killing
by the kernel at the moment it tries to execute code it generated
runtime. you could confirm it by asking the affected user for the
logs that PaX generates for such events (grep PAX /var/log/messages
or similar).
> - The problem is between Objective-C support itself and PAX, yes?
> gnustep-base offers support for libffi which doesn't use mprotect like
> ffcall, which I understand to be a problem. (I'm uploading the newest
> libffi that will work with gnustep-base to bugs.gentoo right now as
> well). I wasn't sure if some were mixing "GNUstep" and "objc" in this
> context.
ffcall seems to implement trampolines which suggests to me that it
requires runtime code generation and probably GNUstep does make use
of that feature. it is fundamentally incompatible with PaX so the
solution is to either rewrite GNUstep to not need runtime code
generation (or features/libraries that need it) or disable PaX on
all executables that want to generate code at runtime. for the
latter gentoo has toolchain support, binutils/ld emit a special
ELF program header called PT_PAX_FLAGS which carry PaX specific
markings, you can use paxctl to disable the MPROTECT feature (via
paxctl -m) that should get things going again, or disable non-exec
pages altogether (via paxctl -spm). you can also pass the -z execheap
switch to ld (or -Wl,-z,execheap to gcc) so that the resulting
executables will be marked directly by ld, no need for paxctl then.
- Re: [Fwd: [gentoo-security] pax and objc],
pageexec <=