Le 13/05/2016 23:09, Martin Husemann a écrit :
On Fri, May 13, 2016 at 05:42:55PM +0200, Maxime Villard wrote:
Initially, two chunks were mapped contiguously in both amd64 and i386:
- text+rodata with RX permissions
Thanks for the detailed explanation.
What I still don't get is why you seem to think that an additional X
in the mapping for .rodata is so terrible - as long as there is no W
I don't see the additional attack vector you are trying to elliminate.
It's for general consistency. It is supposed to be only R, so there's no point
in giving it an additional X.
And it doesn't seem particularly unlikely to me that a driver somewhere could
store some read-only shellcode that is supposed to go into firmware or dynamic
memory at run-time. Making it non-executable reduces the attack surface,
especially if said shellcode then jumps into kernel code.
If the separate mapping just falls out from other cleanup/optimizations,
then of course it is fine and more correct. But out of gut feeling I
wouldn't have thought it to be important in any way (and other architectures
treat is as RX too, so should they take a hint from this?)
Yes, other architectures should take a hint from this. In fact, as NXR points
out, almost all architectures map rodata with RX.
