Some questions about VM flags

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Some questions about VM flags
@ 2005-03-23 16:01 Luca Falavigna
  0 siblings, 0 replies; 2+ messages in thread
From: Luca Falavigna @ 2005-03-23 16:01 UTC (permalink / raw)
  To: Linux Kernel Mailing List

I was playing with mprotect and VM flags when I noticed two curious behaviours.

1)

This C program modifies data segments's flags:

#include <stdio.h>
#include <sys/mman.h>

/* Values shown by /proc/<pid>/maps */
#define START	0x08049000
#define END	0x0804a000

int target;

int main(void)
{
	printf("ADDRESS: %p\n", &target);
	target = 1;
	mprotect((void *)START, END - START, PROT_WRITE);
	printf("%d\n", target);
	return 0;
}

After the mprotect call, data segment's flags are
08049000-0804a000 -w-p 00000000 03:06 297330     /home/dktrkranz/vmflags_read

Shouldn't printf generate a segfault trying to read a variabile located in a
write-only area?

2)

This C program tries to execute a shellcode:

/* This shellcode calls write and exit. It's harmless ;) */
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x7a\x0a\x00\x00\x68\x4b\x72"
"\x61\x6e\x68\x44\x6b\x74\x72\x89\xe1\xb2\x0a\xb0\x04\xcd\x80"
"\x31\xc0\x31\xdb\xb0\x01\xcd\x80";

int main(void)
{
	void(*sc)(void);
	sc = (void *)&shellcode;
	sc();
	return 0;
}

These are data segment's flags:
08049000-0804a000 rw-p 00000000 03:06 297330     /home/dktrkranz/vmflags_sc

Shellcode lies in this segment. It is executed even if VM_EXEC isn't set. I
think execution shouldn't be permitted if only VM_READ or VM_WRITE flags are
set. Buffer overflows/format string based exploits wouldn't be so popular if we
implemented this feaure. Please let me know your opinion.

Thank you,

					Luca

^ permalink raw reply	[flat|nested] 2+ messages in thread

[parent not found: <3LnM0-5Wf-27@gated-at.bofh.it>]

* Re: Some questions about VM flags
       [not found] <3LnM0-5Wf-27@gated-at.bofh.it>
@ 2005-03-24  1:47 ` Robert Hancock
  0 siblings, 0 replies; 2+ messages in thread
From: Robert Hancock @ 2005-03-24  1:47 UTC (permalink / raw)
  To: linux-kernel

Luca Falavigna wrote:
> Shouldn't printf generate a segfault trying to read a variabile located in a
> write-only area?

What architecture is this on? On many CPUs it is not possible to enforce 
a write-only memory area in most cases (there is no way to give write 
permissions without giving read permissions).

> 
> Shellcode lies in this segment. It is executed even if VM_EXEC isn't set. I
> think execution shouldn't be permitted if only VM_READ or VM_WRITE flags are
> set. Buffer overflows/format string based exploits wouldn't be so popular if we
> implemented this feaure. Please let me know your opinion.

Likewise, many CPUs cannot enforce execution restrictions separate from 
read restrictions (x86 CPUs are like this, except for the latest ones 
with NX support, or if you're using a kernel patch like exec-shield that 
tries to emulate this support).

-- 
Robert Hancock      Saskatoon, SK, Canada
To email, remove "nospam" from hancockr@nospamshaw.ca
Home Page: http://www.roberthancock.com/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-03-24  1:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-23 16:01 Some questions about VM flags Luca Falavigna
     [not found] <3LnM0-5Wf-27@gated-at.bofh.it>
2005-03-24  1:47 ` Robert Hancock

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox