| 1 |
On 19 Sep 2015 at 17:45, Alex Efros wrote: |
| 2 |
|
| 3 |
> > so try "readelf -edW /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0" |
| 4 |
> > and post its output. |
| 5 |
> |
| 6 |
> Section Headers: |
| 7 |
> [Nr] Name Type Address Off Size ES Flg Lk Inf Al |
| 8 |
> [10] wtext PROGBITS 0000000000048000 048000 012000 00 AX 0 0 4096 |
| 9 |
|
| 10 |
this is an interesting section as i guess it's meant to be writable |
| 11 |
at runtime (probably stands for 'w'ritable 'text') even though it's |
| 12 |
placed an r-x segment so probably there's an explicit mprotect call |
| 13 |
later to make it writable (temporarily or permanently). |
| 14 |
|
| 15 |
> Dynamic section at offset 0x77370 contains 23 entries: |
| 16 |
> Tag Type Name/Value |
| 17 |
> 0x0000000000000016 (TEXTREL) 0x0 |
| 18 |
|
| 19 |
this mark is normally emitted by the linker when the binary will |
| 20 |
need runtime text relocations but as i said, there's no such thing |
| 21 |
under the amd64 ABI. so this makes me think that barring some toolchain |
| 22 |
bug on their end, it may be a trick to actually accomodate PaX users |
| 23 |
as the already mentioned ELFRELOCS feature will allow text relocations |
| 24 |
by allowing a one-time transition of r-x -> rw- -> r-x that ld.so |
| 25 |
uses to perform text relocations. and it so happens that i restrict |
| 26 |
this capability to files that are actually marked with DT_TEXTREL |
| 27 |
(otherwise upon enabling this kernel option any program and thus |
| 28 |
exploit could abuse this to circumvent MPROTECT). |
| 29 |
|
| 30 |
so there're two things left to do: |
| 31 |
1. enable ELFRELOCS in your kernel config (and keep MPROTECT enforced |
| 32 |
on all binaries) |
| 33 |
2. perhaps ask nvidia if this textrel marking is intentional |
| 34 |
|
| 35 |
my guess is that this will get you an nvidia based system where you |
| 36 |
actually no longer have to disable MPROTECT on all binaries that |
| 37 |
use their GL library which would be a marked improvement, especially |
| 38 |
if this wtext thing doesn't stay writable for all eternity and goes |
| 39 |
back to r-x after some initial runtime codegen is done there (you |
| 40 |
can check that in /proc/pid/maps). |
Archives