FS#46496 - kernel nx support not enabled by default (noexec kernel parameter)

Attached to Project: Arch Linux
Opened by Georg (georgnix) - Wednesday, 30 September 2015, 14:36 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 30 September 2015, 15:08 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
By default the linux kernel command line does not enable x64 no-execute protection for memory pages.
This can be checked by

dmesg | grep NX

With NX bit protection enabled one gets

[ 0.000000] NX (Execute Disable) protection: active

otherwise this line is missing. To add NX protection the linux command line needs to have

noexec=on

For GRUB this can be accomplished by adding "noexec=on" to the GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub

Additional info:
* packages
/etc/default/grub is part of the grub package,

version(s)

* TODO
* other boot loaders config
* x86 no-execute support
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 30 September 2015, 15:08 GMT
Reason for closing:  Not a bug
Comment by Jan de Groot (JGC) - Wednesday, 30 September 2015, 14:44 GMT
x86_64 enables NX by default. This bug applies to i686, which doesn't have NX enabled by default. AFAIK this needs HIGHMEM64 to enable PAE, which we have disabled for a reason.

If you want NX, please upgrade to x86_64.
Comment by Dave Reisner (falconindy) - Wednesday, 30 September 2015, 14:45 GMT
Works as expected for me -- no need for explicitly passing noexec=on:

$ uname -a; cat /proc/cmdline; dmesg | grep -w NX
Linux butter 4.2.2-1-ARCH #1 SMP PREEMPT Tue Sep 29 22:21:33 CEST 2015 x86_64 GNU/Linux
BOOT_IMAGE=../vmlinuz-linux root=LABEL=root rw console=ttyS0 initrd=../intel-ucode.img,../initramfs-linux.img
[ 0.000000] NX (Execute Disable) protection: active

There seems to be missing information from your bug report about the kernel you're running...
Comment by Georg (georgnix) - Wednesday, 30 September 2015, 14:50 GMT
@Dave: Yeah, right:
% uname -a
Linux gurke 4.1.6-1-ARCH #1 SMP PREEMPT Mon Aug 17 08:52:28 CEST 2015 x86_64 GNU/Linux

So no, I am not on i686.

% pacman -Q |grep linux
archlinux-keyring 20150605-1
lib32-util-linux 2.26.2-1
libutil-linux 2.26.2-1
linux 4.1.6-1
linux-api-headers 4.1.4-1
linux-firmware 20150722.e10097a-1
linux-headers 4.1.6-1
linuxtv-dvb-apps 1504-1
ttf-linux-libertine 5.3.0-3
util-linux 2.26.2-1

% pacman -Q |grep grub
grub 1:2.02.beta2-5

I have noxec now on the linux command line, after I added it to /etc/defaults/grub GRUB_CMDLINE_LINUX_DEFAULT

% cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-linux root=UUID=a884660a-ce6e-4bd6-8c06-589647c41922 rw quiet root=/dev/mapper/gurke-root noexec=on





Comment by Georg (georgnix) - Wednesday, 30 September 2015, 15:04 GMT
Ok I double checked, and NX is there without kernel param noexec.

% uname -a; cat /proc/cmdline; dmesg | grep -w NX
Linux gurke 4.1.6-1-ARCH #1 SMP PREEMPT Mon Aug 17 08:52:28 CEST 2015 x86_64 GNU/Linux
BOOT_IMAGE=/vmlinuz-linux root=UUID=a884660a-ce6e-4bd6-8c06-589647c41922 rw quiet root=/dev/mapper/gurke-root
[ 0.000000] NX (Execute Disable) protection: active


I guess the kernel message buffer cycled -> no boot messages. Doh! Please close the bug and sorry for the noise.

Loading...