Re: Opterons and the NX flag.
- To: email@example.com
- Subject: Re: Opterons and the NX flag.
- From: Patrick Flaherty <firstname.lastname@example.org>
- Date: Tue, 28 Sep 2004 11:43:03 -0400
- Message-id: <1096386182.20927.7161.camel@pack>
- In-reply-to: <1096381745.20927.7079.camel@pack>
- References: <1096381745.20927.7079.camel@pack>
Sorry to be the guy that replys to himself, however i look at some
kernel source and found how to turn on the noexec stuff....
looks like noexec=on for 64 bit stuff, noexec32=on for the 32 bit stuff.
i guess the 32 bit stuff has some flexibility as shown by the following
Control the no exec default for 32bit processes. Can be also overwritten
per executable using ELF header flags (e.g. needed for the X server)
Requires noexec=on or noexec=noforce to be effective.
all,on Heap,stack,data is non executable.
off (default) Heap,stack,data is executable
stack Stack is non executable, heap/data is.
force Don't imply PROT_EXEC for PROT_READ
compat (default) Imply PROT_EXEC for PROT_READ
still, has anyone played with this?
On Tue, 2004-09-28 at 10:29, Patrick Flaherty wrote:
> According to the 2.6.8 change log, Ingo added support to boot smp
> opterons in NX mode. Which is fantastic as NX adds a modicom of buffer
> overflow protection. What I've never understood is how to enable NX
> pages. There dosn't seem to be a kernel option for it, is it on by
> default? Has anyone been using it on their system? Does it break any
> programs (apparently some jit compilers use data pages as executables)?
> p.s. NX stands for no exec or somthing, and has been on high end
> processors for a long time. basicaly pages in memory marked by the nx
> flag can't be used to store any shell code (what does bad things in
> buffer overflows)