'Re: Security question: "Text file busy" overwriting executables but not shared libraries?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-kernel
Subject:    Re: Security question: "Text file busy" overwriting executables but not shared libraries?
From:       Rob Landley <landley () trommello ! org>
Date:       2001-10-03 23:20:39
[Download RAW message or body]

On Wednesday 03 October 2001 14:06, Eric W. Biederman wrote:

> > But not modify a busy executable.
>
> Have ld-linux.so set the MAP_DENYWRITE bit when it is mapping
> the library.

And of course since the FSF wrote it, it's not quite that simple...

>/* The right way to map in the shared library files is MAP_COPY, which
>   makes a virtual copy of the data at the time of the mmap call; this
>   guarantees the mapped pages will be consistent even if the file is
>   overwritten.  Some losing VM systems like Linux's lack MAP_COPY.  All we
>   get is MAP_PRIVATE, which copies each page when it is modified; this
>   means if the file is overwritten, we may at some point get some pages
>   from the new version after starting with pages from the old version.  */

I.E. it seems like they go out of their way to ALLOW writing to the libaries. 
 (I assume they KNOW the difference between MAP_DENYWRITE, MAP_COPY, and 
MAP_PRIVATE...?)

This look right to anybody else?  Or am I about to wander into weird 
side-effect land?  (Is there a reason they DON'T want a read-only mapping?  
Are they writing data into those pages, perhaps doing the linking fixup 
stuff?  What?)

--- elf/dl-load.bak Wed Oct  3 18:53:37 2001
+++ elf/dl-load.c   Wed Oct  3 18:55:57 2001
@@ -48,7 +48,7 @@
    means if the file is overwritten, we may at some point get some pages
    from the new version after starting with pages from the old version.  */
 #ifndef MAP_COPY
-# define MAP_COPY      MAP_PRIVATE
+# define MAP_COPY      MAP_DENYWRITE
 #endif
 
 /* Some systems link their relocatable objects for another base address

I should just try this and see what it does.  On a machine I don't mind 
reinstalling from scratch.  Which means I need to dig up a spare keyboard for 
my junk machine...  (And figure out how to get glibc's ./configure script to 
realise that linuxthreads is, in fact, there in the source directory.  It's 
right there.  Use it.  Don't yell at me it's not there.  I didn't make this 
SRPM, I changed one line...  Sigh...)

In the morning...

Rob
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic