* how to determine if the noexec stack is defined by an application
@ 2007-06-29 20:44 Florin Andrei
2007-06-29 21:49 ` Arjan van de Ven
0 siblings, 1 reply; 8+ messages in thread
From: Florin Andrei @ 2007-06-29 20:44 UTC (permalink / raw)
To: linux-kernel
I'm reading Ingo's NX quick start document:
http://people.redhat.com/mingo/nx-patches/QuickStart-NX.txt
Quote:
"If an application defines a noexec stack then the kernel will enforce
this executability, and all attempts to execute on the stack will be
prevented by the hardware."
My question is related to the conditional "if an application". So it
looks like it depends on the app.
Now, the OS/hardware combination that I'm using (RHEL4 WS 32 bit on
AMD64 CPU - long story, don't ask) definitely enables NX:
# grep -i nx /var/log/dmesg
NX (Execute Disable) protection: active
But it's running a Web service which is a combination of C code and
Tomcat/Java. I have no clue how to determine which portions specify a
noexec stack and which don't.
In case it turns out some portions do not specify a noexec stack, my
next question is how to get the application to create a noexec stack
(assume I can make that request to the developers).
(please do NOT Cc me, I'm subscribed to the list)
--
Florin Andrei
http://florin.myip.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-29 20:44 how to determine if the noexec stack is defined by an application Florin Andrei
@ 2007-06-29 21:49 ` Arjan van de Ven
2007-06-29 22:15 ` Andreas Schwab
2007-06-30 1:21 ` Florin Andrei
0 siblings, 2 replies; 8+ messages in thread
From: Arjan van de Ven @ 2007-06-29 21:49 UTC (permalink / raw)
To: linux-kernel
> But it's running a Web service which is a combination of C code and
> Tomcat/Java. I have no clue how to determine which portions specify a
> noexec stack and which don't.
>
> In case it turns out some portions do not specify a noexec stack, my
> next question is how to get the application to create a noexec stack
> (assume I can make that request to the developers).
like this:
$ eu-readelf -l /bin/true | grep STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
(replace /bin/true with the binary or library you want to check)
if it says "RW" like here, it'll have non-executable stack. If it says
"RWX" or if this line is absent entirely, the stack will be executable.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-29 21:49 ` Arjan van de Ven
@ 2007-06-29 22:15 ` Andreas Schwab
2007-06-29 22:27 ` Arjan van de Ven
2007-06-30 1:21 ` Florin Andrei
1 sibling, 1 reply; 8+ messages in thread
From: Andreas Schwab @ 2007-06-29 22:15 UTC (permalink / raw)
To: Arjan van de Ven; +Cc: linux-kernel
Arjan van de Ven <arjan@infradead.org> writes:
> like this:
>
> $ eu-readelf -l /bin/true | grep STACK
> GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
>
>
> (replace /bin/true with the binary or library you want to check)
>
> if it says "RW" like here, it'll have non-executable stack. If it says
> "RWX" or if this line is absent entirely, the stack will be executable.
The last part is not true. Some architectures (especially newer ones)
default to non-exec stack. The absense of a GNU_STACK header represents
the default.
Andreas.
--
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-29 22:15 ` Andreas Schwab
@ 2007-06-29 22:27 ` Arjan van de Ven
2007-06-29 22:41 ` Andreas Schwab
0 siblings, 1 reply; 8+ messages in thread
From: Arjan van de Ven @ 2007-06-29 22:27 UTC (permalink / raw)
To: Andreas Schwab; +Cc: linux-kernel
On Sat, 2007-06-30 at 00:15 +0200, Andreas Schwab wrote:
> Arjan van de Ven <arjan@infradead.org> writes:
>
> > like this:
> >
> > $ eu-readelf -l /bin/true | grep STACK
> > GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
> >
> >
> > (replace /bin/true with the binary or library you want to check)
> >
> > if it says "RW" like here, it'll have non-executable stack. If it says
> > "RWX" or if this line is absent entirely, the stack will be executable.
>
> The last part is not true. Some architectures (especially newer ones)
> default to non-exec stack. The absense of a GNU_STACK header represents
> the default.
ok you're right; powerpc64 defaults to non-executable stack
(all others default to executable stack)
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-29 22:27 ` Arjan van de Ven
@ 2007-06-29 22:41 ` Andreas Schwab
2007-06-29 22:43 ` Arjan van de Ven
0 siblings, 1 reply; 8+ messages in thread
From: Andreas Schwab @ 2007-06-29 22:41 UTC (permalink / raw)
To: Arjan van de Ven; +Cc: linux-kernel
Arjan van de Ven <arjan@infradead.org> writes:
> (all others default to executable stack)
Except ia64.
Andreas.
--
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-29 22:41 ` Andreas Schwab
@ 2007-06-29 22:43 ` Arjan van de Ven
0 siblings, 0 replies; 8+ messages in thread
From: Arjan van de Ven @ 2007-06-29 22:43 UTC (permalink / raw)
To: Andreas Schwab; +Cc: linux-kernel
On Sat, 2007-06-30 at 00:41 +0200, Andreas Schwab wrote:
> Arjan van de Ven <arjan@infradead.org> writes:
>
> > (all others default to executable stack)
>
> Except ia64.
for ia64 it depends on the personality actually .. just to make it more
complex.
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-29 21:49 ` Arjan van de Ven
2007-06-29 22:15 ` Andreas Schwab
@ 2007-06-30 1:21 ` Florin Andrei
2007-06-30 5:16 ` Arjan van de Ven
1 sibling, 1 reply; 8+ messages in thread
From: Florin Andrei @ 2007-06-30 1:21 UTC (permalink / raw)
To: linux-kernel
Arjan van de Ven wrote:
>> But it's running a Web service which is a combination of C code and
>> Tomcat/Java. I have no clue how to determine which portions specify a
>> noexec stack and which don't.
>
> like this:
>
> $ eu-readelf -l /bin/true | grep STACK
> GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
Is Sun Java 1.5 a known exception - as an application that doesn't set a
noexec stack and reverts to default?
# eu-readelf -l ./java | grep STACK | wc -l
0
But then, this bug report seems to indicate otherwise, if I'm reading it
correctly:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5051381
--
Florin Andrei
http://florin.myip.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: how to determine if the noexec stack is defined by an application
2007-06-30 1:21 ` Florin Andrei
@ 2007-06-30 5:16 ` Arjan van de Ven
0 siblings, 0 replies; 8+ messages in thread
From: Arjan van de Ven @ 2007-06-30 5:16 UTC (permalink / raw)
To: linux-kernel
On Fri, 2007-06-29 at 18:21 -0700, Florin Andrei wrote:
> Arjan van de Ven wrote:
> >> But it's running a Web service which is a combination of C code and
> >> Tomcat/Java. I have no clue how to determine which portions specify a
> >> noexec stack and which don't.
> >
> > like this:
> >
> > $ eu-readelf -l /bin/true | grep STACK
> > GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
>
> Is Sun Java 1.5 a known exception - as an application that doesn't set a
> noexec stack and reverts to default?
>
> # eu-readelf -l ./java | grep STACK | wc -l
> 0
>
> But then, this bug report seems to indicate otherwise, if I'm reading it
> correctly:
>
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5051381
that's not a mainline kernel; and I don't rule out that early RHEL3
versions had a 64/32 bug in this area
>
--
if you want to mail me at work (you don't), use arjan (at) linux.intel.com
Test the interaction between Linux and your BIOS via http://www.linuxfirmwarekit.org
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-06-30 5:18 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-29 20:44 how to determine if the noexec stack is defined by an application Florin Andrei
2007-06-29 21:49 ` Arjan van de Ven
2007-06-29 22:15 ` Andreas Schwab
2007-06-29 22:27 ` Arjan van de Ven
2007-06-29 22:41 ` Andreas Schwab
2007-06-29 22:43 ` Arjan van de Ven
2007-06-30 1:21 ` Florin Andrei
2007-06-30 5:16 ` Arjan van de Ven
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox