RE: [PATCH v5 06/12] S.A.R.A.: WX protection
From: David Laight
Date: Mon Jul 08 2019 - 08:42:24 EST
From: Salvatore Mesoraca
> Sent: 06 July 2019 11:55
...
> Executable MMAP prevention works by preventing any new executable
> allocation after the dynamic libraries have been loaded. It works under the
> assumption that, when the dynamic libraries have been finished loading, the
> RELRO section will be marked read only.
What about writing to the file of a dynamic library after it is loaded
but before it is faulted it (or after evicting it from the I$).
...
> +#define find_relro_section(ELFH, ELFP, FILE, RELRO, FOUND) do { \
> + unsigned long i; \
> + int _tmp; \
> + loff_t _pos = 0; \
> + if (ELFH.e_type == ET_DYN || ELFH.e_type == ET_EXEC) { \
> + for (i = 0; i < ELFH.e_phnum; ++i) { \
> + _pos = ELFH.e_phoff + i*sizeof(ELFP); \
> + _tmp = kernel_read(FILE, &ELFP, sizeof(ELFP), \
> + &_pos); \
> + if (_tmp != sizeof(ELFP)) \
> + break; \
> + if (ELFP.p_type == PT_GNU_RELRO) { \
> + RELRO = ELFP.p_offset >> PAGE_SHIFT; \
> + FOUND = true; \
> + break; \
> + } \
> + } \
> + } \
> +} while (0)
This is big for a #define.
Since it contains kernel_read() it can't really matter if it is
a real function.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)