| 1 |
On 27 Jan 2007 at 19:40, gentoo-hardened-ml-01@××××××.org wrote: |
| 2 |
|
| 3 |
> If I paxctl -PS the ioquake3 binary it crashes on startup with the error: |
| 4 |
> |
| 5 |
> PAX: execution attempt in: /dev/zero |
| 6 |
> |
| 7 |
> logged to the syslog. If I paxctl -ps ioquake3 it runs fine. Of course |
| 8 |
> mprotect is disabled in both cases. |
| 9 |
|
| 10 |
this is then a sign that the application doesn't create its mappings |
| 11 |
with proper access rights, that is, it's mmap'ing without PROT_EXEC |
| 12 |
and then tries to execute code in there. having grepped through the |
| 13 |
quake3 sources i can't find any mention of /dev/zero, so it might be |
| 14 |
a library or something, only further debugging can reveal it (and it's |
| 15 |
an application bug somewhere, so it should be found and fixed). |
| 16 |
|
| 17 |
second, i also looked at how the quake3 engine generates code at runtime |
| 18 |
and i think the i386 port should follow that amd64 version which puts |
| 19 |
it into a file then mmap's it - this can run with full PaX permissions |
| 20 |
(of course, this mitigates the issue to filesystem access control, but |
| 21 |
is still better than in-memory JIT compilation). |
| 22 |
|
| 23 |
third, the Makefile has the HAVE_VM_COMPILED option, if you set it to |
| 24 |
false, it should use the interpreter instead and would again allow full |
| 25 |
PaX enforcement (but i guess it also costs performance, would be worth |
| 26 |
a measurement). |
| 27 |
|
| 28 |
> If I use the SSP-enabled toolchain, I'll loose my ability to toggle this |
| 29 |
> protection off and on at will right? |
| 30 |
|
| 31 |
correct. |
| 32 |
|
| 33 |
> Am I correct that the only work arounds in this case would involve |
| 34 |
> some kind of recompiling with per-package flags, etc.? |
| 35 |
|
| 36 |
it's not some kind of recompiling, it's recompiling ;-). and the way |
| 37 |
to control ssp use is via gcc specs file, that is, you'd have to switch |
| 38 |
to a nossp profile before emerging quake3. |
| 39 |
|
| 40 |
-- |
| 41 |
gentoo-hardened@g.o mailing list |
Archives