exec-shield=2
Ingo Molnar
mingo at elte.hu
Thu Jul 8 06:52:03 UTC 2010
* Roland McGrath <roland at redhat.com> wrote:
> I hope to manage to cajole Ingo into either upstreaming or punting that one
> thing, the different arch_get_unmapped_area algorithm used for PROT_EXEC
> mappings. I can't tell if it's actually of any use when we're not using the
> segmentation hack or not. If it is, some version of it belongs upstream.
Even not considering the segmentation based protection, it's useful (on
32-bit) because it compresses executable mappings into an address space region
where all 32-bit addresses have a zero byte in them.
This adds one more complication to exploits - for example ASCII string
overflow based exploits (which cannot have a end-of-string zero byte in them)
will have to work harder to generate an address into that address range. (Some
may even be prevented altogether - although it's usually rather hard to
disprove the exploitability of overflow bugs.)
But upstream mm/ maintainers expressed a thundering disinterest in these kinds
of changes, and the segmentation based trick was explicitly nak-ed IIRC.
Thanks,
Ingo
More information about the kernel
mailing list