|
Message-ID: <20110702174608.GA2490@albatros> Date: Sat, 2 Jul 2011 21:46:08 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: kernel-hardening@...ts.openwall.com Subject: Re: overview of PaX features Solar, On Sat, Jul 02, 2011 at 21:21 +0400, Solar Designer wrote: > Oh, of course the kernel itself also put a signal handler return > trampoline on the stack. As the kernel actually use NX for the stack on amd64 and on x86-32 with PAE support, the signal handler is already rewritten to respect the nonexecutable stack. > You may want to check the code in linux-2.2.12-ow6.diff. It turned out > to be insufficient to cover some newer gcc versions, so it was enhanced > in later 2.2.x-ow versions. > > http://download.openwall.net/pub/patches/linux/v2.2/historical/ I'll take a look at it, thanks. > That said, I don't have strong feelings one way or the other. Feel free > to use the stricter code from PaX if you like. You can also ask for PaX > Team's advice on this. He told me that the PaX' version is based on the actual gcc code, so it should be sufficient ;) > > Btw, there is a tool to change executable stack settings per binary, > > written by Jakub Jelinek (Red Hat): > > > > http://linux.die.net/man/8/execstack > > I think it makes sense for us to get it into Owl. Also there is a paxtest utility, it shows some information related to noexec, ASLR and NULL presence in some libc functions: http://grsecurity.net/~spender/paxtest-0.9.9.tgz Anyway, I expect to work on this patch just after PAX_USERCOPY discussion with upstream (and trying to push it, of course!). Thanks, -- Vasiliy
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.