1 |
On 27 Jan 2007 at 19:40, gentoo-hardened-ml-01@××××××.org wrote: |
2 |
|
3 |
> If I paxctl -PS the ioquake3 binary it crashes on startup with the error: |
4 |
> |
5 |
> PAX: execution attempt in: /dev/zero |
6 |
> |
7 |
> logged to the syslog. If I paxctl -ps ioquake3 it runs fine. Of course |
8 |
> mprotect is disabled in both cases. |
9 |
|
10 |
this is then a sign that the application doesn't create its mappings |
11 |
with proper access rights, that is, it's mmap'ing without PROT_EXEC |
12 |
and then tries to execute code in there. having grepped through the |
13 |
quake3 sources i can't find any mention of /dev/zero, so it might be |
14 |
a library or something, only further debugging can reveal it (and it's |
15 |
an application bug somewhere, so it should be found and fixed). |
16 |
|
17 |
second, i also looked at how the quake3 engine generates code at runtime |
18 |
and i think the i386 port should follow that amd64 version which puts |
19 |
it into a file then mmap's it - this can run with full PaX permissions |
20 |
(of course, this mitigates the issue to filesystem access control, but |
21 |
is still better than in-memory JIT compilation). |
22 |
|
23 |
third, the Makefile has the HAVE_VM_COMPILED option, if you set it to |
24 |
false, it should use the interpreter instead and would again allow full |
25 |
PaX enforcement (but i guess it also costs performance, would be worth |
26 |
a measurement). |
27 |
|
28 |
> If I use the SSP-enabled toolchain, I'll loose my ability to toggle this |
29 |
> protection off and on at will right? |
30 |
|
31 |
correct. |
32 |
|
33 |
> Am I correct that the only work arounds in this case would involve |
34 |
> some kind of recompiling with per-package flags, etc.? |
35 |
|
36 |
it's not some kind of recompiling, it's recompiling ;-). and the way |
37 |
to control ssp use is via gcc specs file, that is, you'd have to switch |
38 |
to a nossp profile before emerging quake3. |
39 |
|
40 |
-- |
41 |
gentoo-hardened@g.o mailing list |