[Libreoffice-bugs] [Bug 115486] New: LibreOffice shouldn' t require writable and executable memory pages at the same time

[bugzilla-daemon]

https://bugs.documentfoundation.org/show_bug.cgi?id=115486

            Bug ID: 115486
           Summary: LibreOffice shouldn't require writable and executable
                    memory pages at the same time
           Product: LibreOffice
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: LibreOffice
          Assignee: libreoffice-bugs@lists.freedesktop.org
          Reporter: hessnovth...@mail.com

Description:
https://stackoverflow.com/questions/48631646/why-does-libreoffice-wants-memory-pages-to-be-writable-and-executable-in-the-sam

OpenBSD has great features for Memory protection, ex.: W^X.

https://en.wikipedia.org/wiki/W^X

https://man.openbsd.org/mount

We can disable this function with the "wxallowed" mount point if a program
needs it, and sadly, LibreOffice needs the wxallowed on /usr/local/. 

See example here:
https://unix.stackexchange.com/questions/411405/libreoffice-soffice-oosplash-start-permission-denied-error

Steps to Reproduce:
1. Use a secure OS that can help security audits, ex.: OpenBSD
2. Remove the wxallowed flag from /usr/local to enable the W^X enforcing,
reboot
3. LibreOffice cannot start anymore, because it requires writable and
executable memory pages in the same time, see Wiki link, why is this dangerous:
https://en.wikipedia.org/wiki/W%5EX

Actual Results:  
LibreOffice is prone to memory bugs if it needs writable/executable memory
pages

Expected Results:
LibreOffice should run even with the remove wxallowed mount option. 


Reproducible: Always


User Profile Reset: No



Additional Info:
This is a security issue, please fix it with higher prio. 

Additional help from the forums: 

I'm not really sure but my guess is that LibreOffice is doing some dynamic
runtime linking of a shared object and it's mapping the whole address space
using one syscall with PROT_READ|PROT_WRITE|PROT_EXEC or alternatively PROT_ALL
which i have already seen somewhere on github. – Karim Manaouil

@KarimManaouil Probably here: 

https://github.com/LibreOffice/core/blob/b7c5ddcdd05ceba73acb1a298500892d6157f360/bridges/source/cpp_uno/shared/vtablefactory.cxx

It creates anonymous mapping with RWX access. – Ivan 


User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101
Firefox/58.0

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs