1 |
As the original sender of these issues and questions, I'd like to |
2 |
clarify and relate what information I've collected, as to not waste |
3 |
anyone else's brain processes. |
4 |
|
5 |
The confusion I was facing was that I could not nail down the exact |
6 |
isses that some people posed to me. The issue existed somewhere |
7 |
among: |
8 |
- PaX |
9 |
- libffi -or- ffcall |
10 |
- GNUstep core libraries |
11 |
|
12 |
The first I heard of the issue was here: |
13 |
http://bugs.gentoo.org/show_bug.cgi?id=54740#c9 |
14 |
... and at that point started my procession to nail this down. |
15 |
|
16 |
I also have a report from a user using gcc-3.3.3 (on gentoo) that |
17 |
installing libffi, and not ffcall, let his by-hand GNUstep install |
18 |
work, whereas ffcall would trigger PaX. Likely, this is because of |
19 |
mprotect() use in ffcall. However, ffcall, according to Lv on |
20 |
#gentoo-dev, isn't 64-bit safe, so libffi should probably e used |
21 |
dominantly at the moment, anyway. |
22 |
|
23 |
On 2004-07-01 14:49:08 -0400 pageexec@××××××××.hu wrote: |
24 |
> ffcall seems to implement trampolines which suggests to me that it |
25 |
> requires runtime code generation and probably GNUstep does make use |
26 |
> of that feature. it is fundamentally incompatible with PaX so the |
27 |
> solution is to either rewrite GNUstep to not need runtime code |
28 |
> generation |
29 |
Uhmm. I think this is the first honest case of "it's a feature, not a |
30 |
bug" that I've ever seen. I haven't looked at the libobjc source in |
31 |
gcc, ever, but I'm going to take an educated guess and say that I |
32 |
believe the runtime generation of code allows it to do run-time |
33 |
introspection and execution that simply isn't possible to create a |
34 |
structure for at compile time. Objective-C is a compiled language, |
35 |
but retains a lot of it's SmallTalk inspired design. |
36 |
|
37 |
Having said all this, AFAIK, libffi (giving up on ffcall at the |
38 |
moment) is the spot where trouble with security features like PaX is |
39 |
going to exist. If this is the case, is there anyone out there that |
40 |
can confirm or deny this? |
41 |
|
42 |
Thanks for all the respones. |
43 |
|
44 |
__Armando Di Cianno |
45 |
|
46 |
|
47 |
-- |
48 |
gentoo-security@g.o mailing list |