Re: PaX: Heritage bug

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 25/02/2015 18:16, Christos Zoulas a écrit :
> On Feb 25,  4:50pm, max%m00nbsd.net@localhost (Maxime Villard) wrote:
> -- Subject: Re: PaX: Heritage bug
> 
> | >> Attached is a patch. However I have a doubt: if the kernel loads a
> | >> binary, and then its interpreter, the p_pax flag is not used when load-
> | >> ing this interpreter, right?
> | > 
> | > I don't see why it can't... Try turning it on.
> | 
> | What do you mean?
> 
> That the location where the interpreter is loaded should be randomized if it
> is not. Last time I checked it was.

elf_load_interp() loads the interpreter. AFAICT, it only adds VMCMDs to
the exec package. So this function does not look like there's actually
something randomized in it.

In my patch, I first set the PaX flag in the exec package - and update
ASLR_GAP() accordingly -, and then I set the proc's p_pax flag just
before processing these VMCMDs.

My question was: is this p_pax flag used in the meantime? From what I've
seen, my answer is no, but in case I miss something...

(and I'm figuring out my ASLR_GAP() change is wrong; it should be:
 #ifdef PAX_ASLR
 #define	ASLR_GAP(epp)	(pax_aslr_exec_active(epp) ? (cprng_fast32() %
PAGE_SIZE) : 0)
 #else
 #define	ASLR_GAP(epp)	0
 #endif
)