PowerPC paxtest results w/ gcc-4.1

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: "Albert Cahalan" <acahalan@gmail.com>
To: paulus@samba.org, linuxppc-dev@ozlabs.org,
	debian-powerpc@lists.debian.org
Subject: PowerPC paxtest results w/ gcc-4.1
Date: Sat, 12 Aug 2006 01:50:47 -0400	[thread overview]
Message-ID: <787b0d920608112250q551c98f5j328183c31eebaf77@mail.gmail.com> (raw)

I just ran paxtest on a Mac G4 Cube. Ouch. The results are shameful.
Does nobody care to fix this? (well heck, the patched firefox isn't
showing up via aptitude yet, and my browser just died a horrible
and unexpected death involving a pop-up ad, so I guess not!)

I suppose part of the problem is that paxtest requires serious
hacking to work right on PowerPC. Critical fixes are:

1. unnest the dummy() function (PaX marketing bullshit)
2. change the return opcode (see code below)
3. flush the cache as needed (see code below)
4. use the Makefile-portable that Gentoo has
5. compile with "-W -Wall -fno-strict-aliasing" and fix warnings

With all that done, gasp in horror at the truth:

Linux cube 2.6.17-rc5 #1 PREEMPT Sat May 27 20:35:12 EDT 2006 ppc GNU/Linux
Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable stack (mprotect)              : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments                   : Vulnerable
Anonymous mapping randomisation test     : No randomisation
Heap randomisation test (ET_EXEC)        : No randomisation
Heap randomisation test (ET_DYN)         : No randomisation
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : No randomisation
Shared library randomisation test        : No randomisation
Stack randomisation test (SEGMEXEC)      : 11 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 11 bits (guessed)
Return to function (strcpy)              : paxtest: bad luck
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : paxtest: bad luck
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable

About the only saving grace is that the attacker would have
to get lucky with the cache if they need code executed.

Look, it's not as if we get closed-source binaries on PowerPC
anyway. Non-free isn't the Debian way either. Screw the ABI.
We need a fail-safe (enabled by default) fix for this.

///////// code added to the top of paxtest body.h //////////
// use this code in the obvious way
#if defined(__ppc__) || defined(__powerpc__)
#define RET 0x4e800020     // "blr" or "bclr 20,0"
#define FLUSH(x) __asm__ __volatile__(\
  "dcbf 0,%0  ;  sync  ; icbi 0,%0  ; sync  ;  isync  ; sync" \
  :                        \
  : "r" (x)                \
  : "memory"              \
)
#endif

#if defined(__i386__) || defined(__x86_64__)
#define RET 0xc3c3c3c3     // ret ret ret ret
#define FLUSH(x)
#endif

#include <string.h>
///////////////////////////////////////////////////////////

next             reply	other threads:[~2006-08-12  5:50 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-12  5:50 Albert Cahalan [this message]
2006-08-12 11:35 ` PowerPC paxtest results w/ gcc-4.1 Paul Mackerras
2006-08-12 14:36   ` Albert Cahalan
2006-08-12 23:54     ` Paul Mackerras
2006-08-13  2:48       ` Albert Cahalan
2006-08-13  3:23         ` Paul Mackerras
2006-08-13  4:11           ` Albert Cahalan
2006-08-13 16:45             ` Hollis Blanchard
2006-08-13 18:59               ` Albert Cahalan
2006-08-14 12:17             ` Matt Sealey
2006-08-14 14:20               ` Kumar Gala
2006-08-13  3:29       ` Alan Modra
2006-08-13 18:56       ` Albert Cahalan
2006-08-14 11:50       ` Matt Sealey
2006-08-15  3:59         ` Paul Mackerras
2006-08-16 10:59           ` Gabriel Paubert
2006-08-16 11:07             ` Paul Mackerras
2006-08-16 14:43               ` Albert Cahalan
2006-08-16 17:49             ` Segher Boessenkool

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=787b0d920608112250q551c98f5j328183c31eebaf77@mail.gmail.com \
    --to=acahalan@gmail.com \
    --cc=debian-powerpc@lists.debian.org \
    --cc=linuxppc-dev@ozlabs.org \
    --cc=paulus@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).