Why in mmap PROT_READ equals PROT_EXEC

后端 未结 2 969
南方客
南方客 2021-01-14 12:25

I tried to allocate some memory pages with read only access using mmap function. I printed /proc/self/maps to check if the memory protection was wo

相关标签:
2条回答
  • 2021-01-14 12:56

    After doing some research I realized that Linux only activates memory protection when a GNU_STACK program header is included in the ELF program headers. By memory protection I mean the use of the NX bit of the processor, so memory pages can be marked as not executable.

    For what I understand, GNU_STACK program header is designed to tell the kernel that you want some specific properties for the stack, one those properties is a non-executable stack. It appears that if you don't explicitly ask for a non-executable stack, all the ELF sections marked as readable will be executable too. And also all the memory mapping with mmap while have the same behavior.

    Sadly there is no enough documentation on what GNU_STACK does, and the documentation of mmap doesn't specify its connection with GNU_STACK to enable execute protection.

    References:

    https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

    0 讨论(0)
  • 2021-01-14 13:20

    I test this issue in my Debian Jessie.

    I mmap an anonymous area in a special address,and print the content of maps, the corresponding permission form:

    PROT_READ               r--p
    PROT_WRITE              -w-p
    PROT_EXEC               --xp
    PROT_READ|PROT_WRITE    rw-p
    PROT_READ|PROT_EXEC     r-xp
    

    I don't test PROT_WRITE | PROT_EXEC ..., because pax/grsecurity protects against creating writable and executable mapping.

    test information:
    Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt17-1 (2015-09-26) x86_64 GNU/Linux
    Intel i7,x86_64

    0 讨论(0)
提交回复
热议问题