discuss-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: [gentoo-security] pax and objc]


From: Armando Di Cianno
Subject: Re: [Fwd: [gentoo-security] pax and objc]
Date: Thu, 01 Jul 2004 16:03:43 -0400

As the original sender of these issues and questions, I'd like to clarify and relate what information I've collected, as to not waste anyone else's brain processes.

The confusion I was facing was that I could not nail down the exact isses that some people posed to me. The issue existed somewhere among:
- PaX
- libffi -or- ffcall
- GNUstep core libraries

The first I heard of the issue was here:
http://bugs.gentoo.org/show_bug.cgi?id=54740#c9
... and at that point started my procession to nail this down.

I also have a report from a user using gcc-3.3.3 (on gentoo) that installing libffi, and not ffcall, let his by-hand GNUstep install work, whereas ffcall would trigger PaX. Likely, this is because of mprotect() use in ffcall. However, ffcall, according to Lv on #gentoo-dev, isn't 64-bit safe, so libffi should probably e used dominantly at the moment, anyway.

On 2004-07-01 14:49:08 -0400 pageexec@freemail.hu wrote:
ffcall seems to implement trampolines which suggests to me that it
requires runtime code generation and probably GNUstep does make use
of that feature. it is fundamentally incompatible with PaX so the
solution is to either rewrite GNUstep to not need runtime code
generation
Uhmm. I think this is the first honest case of "it's a feature, not a bug" that I've ever seen. I haven't looked at the libobjc source in gcc, ever, but I'm going to take an educated guess and say that I believe the runtime generation of code allows it to do run-time introspection and execution that simply isn't possible to create a structure for at compile time. Objective-C is a compiled language, but retains a lot of it's SmallTalk inspired design.

Having said all this, AFAIK, libffi (giving up on ffcall at the moment) is the spot where trouble with security features like PaX is going to exist. If this is the case, is there anyone out there that can confirm or deny this?

Thanks for all the respones.

__Armando Di Cianno





reply via email to

[Prev in Thread] Current Thread [Next in Thread]