[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: [gentoo-security] pax and objc]
From: |
Armando Di Cianno |
Subject: |
Re: [Fwd: [gentoo-security] pax and objc] |
Date: |
Thu, 01 Jul 2004 16:03:43 -0400 |
As the original sender of these issues and questions, I'd like to
clarify and relate what information I've collected, as to not waste
anyone else's brain processes.
The confusion I was facing was that I could not nail down the exact
isses that some people posed to me. The issue existed somewhere
among:
- PaX
- libffi -or- ffcall
- GNUstep core libraries
The first I heard of the issue was here:
http://bugs.gentoo.org/show_bug.cgi?id=54740#c9
... and at that point started my procession to nail this down.
I also have a report from a user using gcc-3.3.3 (on gentoo) that
installing libffi, and not ffcall, let his by-hand GNUstep install
work, whereas ffcall would trigger PaX. Likely, this is because of
mprotect() use in ffcall. However, ffcall, according to Lv on
#gentoo-dev, isn't 64-bit safe, so libffi should probably e used
dominantly at the moment, anyway.
On 2004-07-01 14:49:08 -0400 pageexec@freemail.hu wrote:
ffcall seems to implement trampolines which suggests to me that it
requires runtime code generation and probably GNUstep does make use
of that feature. it is fundamentally incompatible with PaX so the
solution is to either rewrite GNUstep to not need runtime code
generation
Uhmm. I think this is the first honest case of "it's a feature, not a
bug" that I've ever seen. I haven't looked at the libobjc source in
gcc, ever, but I'm going to take an educated guess and say that I
believe the runtime generation of code allows it to do run-time
introspection and execution that simply isn't possible to create a
structure for at compile time. Objective-C is a compiled language,
but retains a lot of it's SmallTalk inspired design.
Having said all this, AFAIK, libffi (giving up on ffcall at the
moment) is the spot where trouble with security features like PaX is
going to exist. If this is the case, is there anyone out there that
can confirm or deny this?
Thanks for all the respones.
__Armando Di Cianno