[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Exec-Shield vs. PaX

On Tue, 4 Nov 2003 pageexec@freemail.hu wrote:

>   second, paxtest had some bugs which Exec-Shield exposed and made
>   Exec-Shield appear better than it is. i've fixed them here and
>   expect to release 0.9.5 today or so. the results now look like:

i downloaded the new 0.9.5 paxtest package and amongst other changes it
has the following oneliner change:

--- paxtest-0.9.4/body.c
+++ paxtest-0.9.5/body.c
@@ -29,6 +29,7 @@
 	fflush( stdout );
 	if( fork() == 0 ) {
+		do_mprotect((unsigned long)argv & ~4095U, 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
 	} else {
 		wait( &status );

this intentionally calls mprotect(PROT_EXEC) for the highest possible
address one can think of. This call has no useful purpose at all. In other
words, this is a specific, underhand cheat to trigger 'Vulnerable'
messages for all items when running paxtest on exec-shield kernels.  

frankly, i've never experienced anything like this in my many years in the
Linux world. You so far gave the impression of a reasonable and balanced
person but this is as low as it gets. Shame on you.

here are the paxtest-0.9.5 results with that single purpose-less line
removed, for the categories that matter to me:

 Executable anonymous mapping             : Killed
 Executable bss                           : Killed
 Executable data                          : Killed
 Executable heap                          : Killed
 Executable stack                         : Killed
 Anonymous mapping randomisation test     : 8 bits (guessed)
 Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
 Heap randomisation test (ET_DYN)         : 13 bits (guessed)
 Main executable randomisation (ET_EXEC)  : No randomisation
 Main executable randomisation (ET_DYN)   : 12 bits (guessed)
 Shared library randomisation test        : 12 bits (guessed)
 Stack randomisation test (SEGMEXEC)      : 17 bits (guessed)
 Stack randomisation test (PAGEEXEC)      : 17 bits (guessed)
 Executable shared library bss            : Vulnerable
 Executable shared library data           : Vulnerable


Reply to: