Martin Decky wrote:
> Well, the initial idea to only support either writable xor executable
> areas was indeed motivated by security reasons. Then came Jiri and he
> needed the forbidden combination for the loader: when loading executable
> code, you first need to read it from a file and then write it to the
> target address space area. In this regard, as_area_change_flags() can be
> considered a workaround or a sort of a hack.
OK, but isn't this a little bit strange? If there are no purely
technical reasons which would forbid creating W+E areas in
as_area_create() directly, if there are legitimate reasons to support
them and if it is even possible to setup such an area by two calls
(instead of one call -- just a trivial obstruction), then why not simply
allow to create such an area directly in as_area_create()?
I mean, this is no longer a security measure (because you are free to
achieve the unsafe state), is is only an obfuscation.
I think there is a misunderstanding here. as_area_change_flags() was introduced
at the same time as the program loader. The problem it is designed to solve is
loading of read-only segments (e.g. text segment). To load a text (r-x)
segment, the loader first creates an area with rw- mode, writes to it, then
changes its mode to r-x with as_area_change_flags(). This has nothing to do
with the problem of wx areas, rather with the need to write some area and then
make it read-only.
There was never an intention to allow as_area_change_flags() to set rwx mode.
This is probably an omission. The only reason I can imagine why somebody would
want this is if it were a workaround for some limitation/bug in the dynamic
linker (e.g. in writing to a writeable PLT). But most likely the check is just
missing there.
Of course the restriction that code areas must not be writeable is slightly
questionable - for programs doing JIT this might be problematic - and using
as_area_change_flags() to switch between r-x and rw- is not the answer (you
can't just make the heap readonly while other threads are running, plus it
might be slow).
In any case as_area_create() and as_area_change_flags() should either both have
the restriction or neither.
Cheers
-Jiri
_______________________________________________
HelenOS-devel mailing list
[email protected]
http://lists.modry.cz/cgi-bin/listinfo/helenos-devel
