Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#17321 - [klibc] screws up mmap permission flags in 32 bit arch linux
Attached to Project:
Arch Linux
Opened by Martin Jackson (mjackson220) - Sunday, 29 November 2009, 22:58 GMT
Last edited by Thomas Bächler (brain0) - Monday, 30 November 2009, 09:13 GMT
Opened by Martin Jackson (mjackson220) - Sunday, 29 November 2009, 22:58 GMT
Last edited by Thomas Bächler (brain0) - Monday, 30 November 2009, 09:13 GMT
|
DetailsDescription:
I was shocked to find in all 3 of my 32 bit Arch installs that almost all processes have readable mmap'd regions (excluding the stack, luckily) marked as executable. Obviously, this is a security hole. For example: [root@fortknox ~]# uname -a Linux fortknox 2.6.27.39-lts #1 SMP Wed Nov 11 18:07:13 UTC 2009 i686 Intel(R) Atom(TM) CPU 330 @ 1.60GHz GenuineIntel GNU/Linux [root@fortknox ~]# [root@fortknox ~]# [root@fortknox ~]# cat /proc/1/maps 08048000-0804f000 r-xp 00000000 fd:00 1155143 /sbin/init 0804f000-08050000 rwxp 00007000 fd:00 1155143 /sbin/init 093a3000-093c4000 rwxp 093a3000 00:00 0 [heap] b75ee000-b75ef000 rwxp b75ee000 00:00 0 b75ef000-b772f000 r-xp 00000000 fd:00 106504 /lib/libc-2.11.so b772f000-b7731000 r-xp 00140000 fd:00 106504 /lib/libc-2.11.so b7731000-b7732000 rwxp 00142000 fd:00 106504 /lib/libc-2.11.so b7732000-b7735000 rwxp b7732000 00:00 0 b773a000-b773b000 rwxp b773a000 00:00 0 b773b000-b773c000 r-xp b773b000 00:00 0 [vdso] b773c000-b7758000 r-xp 00000000 fd:00 106529 /lib/ld-2.11.so b7758000-b7759000 r-xp 0001b000 fd:00 106529 /lib/ld-2.11.so b7759000-b775a000 rwxp 0001c000 fd:00 106529 /lib/ld-2.11.so bfef3000-bff08000 rw-p bffeb000 00:00 0 [stack] The GNU_STACK section of the /sbin/init elf file is *not* set to executable: [root@fortknox ~]# readelf -l /sbin/init Elf file type is EXEC (Executable file) Entry point 0x8049890 There are 7 program headers, starting at offset 52 ... GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 ... My investigations lead me to believe that this is caused by the GNU_STACK elf section of the klibc shell being set to executable. i686 kernels set the READ_IMPLIES_EXEC personality flag of a process if this is set, and all children processes of klibc init (i.e. everything), except for setuid programs, end up inheriting this flag set in their process descriptor. I believe x86_64 behaves differently. Additional info: kernel26-lts 2.6.27.39-1 / kernel26 2.6.31.6-1 klibc 1.5.15-3 Steps to reproduce: Check permissions of any non setuid process in 32bit arch linux |
This task depends upon
Closed by Thomas Bächler (brain0)
Monday, 30 November 2009, 09:13 GMT
Reason for closing: Deferred
Additional comments about closing: Won't spend any more time fixing klibc. My last attempt to compile klibc on i686 resulted in non-bootable systems. See FS#17298
Monday, 30 November 2009, 09:13 GMT
Reason for closing: Deferred
Additional comments about closing: Won't spend any more time fixing klibc. My last attempt to compile klibc on i686 resulted in non-bootable systems. See
Check memory-map permissions of any non setuid process in 32bit arch linux, e.g.
cat /proc/<pid>/maps
The .data section, the heap etc will have the 'exec' flag set, which is clearly incorrect
Looking on the web seems that Ubuntu apply a patch to fix this. Anyway klibc will be unused in Arch:
FS#17298In my system only text segments are executable. (attached a sample output)