I discussed this briefly with Linus and his comments are reproduced
below. While I see Linus' points, I do think that turning off EXECUTE
permission on anonymous would improve the security in practice, if not
in theory. But I'd be interested in other people's opinion. Also, as
a practical matter, we currently have special hacks in the ia64 page
fault handler that are needed to work around performance problems that
arise from the fact that we map anonymous memory with EXECUTE rights
by default. Those hacks avoid having to flush the cache for memory
that's mapped executable but never really executed. So clearly there
are technical advantages to not turning on EXECUTE permission, even if
we ignore the security argument.
What I'm wondering: how do others feel about this issue? Since x86
wont be affected by this, I'm especially interested in the opinion of
the maintainers of non-x86 platforms.
It seems to me that for portability reasons, dynamic code generators
should always do an mmap() call to ensure that the generated code is
executable. If we can agree on this as the recommended practice, then
I don't see much of a problem with not turning on the EXECUTE right by
default.
Opinions?
--david
--------------
Comments by Linus:
I would say that the BSS has to be mapped the same way brk() maps things.
They _are_ the same thing, after all - I consider "brk()" to be a system
call that just dynamically changes the BSS limits.
So I would say that we have a few options:
- just explicitly make bss/brk() be non-executable, and tell Compaq that
if they want to do dynamic code generation they should use an anonymous
mapping with MAP_EXEC.
- make both of them always be executable, and say "this is how x86 does
it, security issues don't help", x86 is the Borg, and you _have_ been
assimilated.
- add a per-process flag (that gets copied at fork() and stays alive over
exec()) that allows the system to decide between the two above
dynamically on a process-per-process basis. We could default to the
stricter thing, and people who aren't happy would just make a wrapper
executable (no setuid needed) that sets the flag and executes whatever
process it wants to run that needs to execute BSS.
Quite frankly, my personal preference is "We are the borg of x86" choice,
especially on ia64. The security issue with stack smashing etc is a
complete non-issue: if the program allows a buffer overrun it is insecure
whether EXEC is set or not.
But I suspect you should talk this over on ia64 lists and possibly people
like Alan &co. Feel free to quote this email.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/