Re: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2

From: Andi Kleen
Date: Thu Jun 03 2004 - 18:09:41 EST


On Thu, Jun 03, 2004 at 04:01:57PM -0700, Andy Lutomirski wrote:
> Andi Kleen wrote:
> >On Thu, 3 Jun 2004 14:44:48 +0200
> >Ingo Molnar <mingo@xxxxxxx> wrote:
> >
> >
> >
> >>- in exec.c, since address-space executability is a security-relevant
> >>item, we must clear the personality when we exec a setuid binary. I
> >>believe this is also a (small) security robustness fix for current
> >>64-bit architectures.
> >
> >
> >I'm not sure I like that. This means I cannot earily force an i386 uname
> >or 3GB address space on suid programs anymore on x86-64.
> >
> >While in theory it could be a small security problem I think the utility
> >is much greater.
> >
> >It's hard to see how setting NX could cause a security hole. The program
> >may crash, but it is unlikely to be exploitable.
>
> The whole point of NX, though, is that it prevents certain classes of
> exploits. If a setuid binary is vulnerable to one of these, then Ingo's
> patch "fixes" it. Your approach breaks that.

Good point.

But that only applies to the NX personality bit. For the uname emulation
it is not an issue.

So maybe the dropping on exec should only zero a few selected
personality bits, but not all.

>
> I don't like Ingo's fix either, though. At least it should check
> CAP_PTRACE or some such. A better fix would be for LSM to pass down a flag
> indicating a change of security context. I'll throw that in to my
> caps/apply_creds cleanup, in case that ever gets applied.

Don't think we should require an LSM module for that. That's
far overkill.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/