I tried to allocate some memory pages with read only access using mmap
function. I printed /proc/self/maps
to check if the memory protection was wo
After doing some research I realized that Linux only activates memory protection when a GNU_STACK
program header is included in the ELF
program headers.
By memory protection I mean the use of the NX bit of the processor, so memory pages can be marked as not executable.
For what I understand, GNU_STACK
program header is designed to tell the kernel that you want some specific properties for the stack, one those properties is a non-executable stack. It appears that if you don't explicitly ask for a non-executable stack, all the ELF
sections marked as readable will be executable too. And also all the memory mapping with mmap
while have the same behavior.
Sadly there is no enough documentation on what GNU_STACK
does, and the documentation of mmap
doesn't specify its connection with GNU_STACK
to enable execute protection.
References:
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
I test this issue in my Debian Jessie.
I mmap an anonymous area in a special address,and print the content of maps, the corresponding permission form:
PROT_READ r--p
PROT_WRITE -w-p
PROT_EXEC --xp
PROT_READ|PROT_WRITE rw-p
PROT_READ|PROT_EXEC r-xp
I don't test PROT_WRITE | PROT_EXEC ..., because pax/grsecurity protects against creating writable and executable mapping.
test information:
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt17-1 (2015-09-26) x86_64 GNU/Linux
Intel i7,x86_64