[Bug dynamic-link/31076] Extra struct vm_area_struct with ---p created when PAGE_SIZE < max-page-size

["kaleshsingh at google dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=31076

--- Comment #15 from Kalesh Singh <kaleshsingh at google dot com> ---
(In reply to Adhemerval Zanella from comment #9)
> (In reply to Florian Weimer from comment #8)
> > (In reply to Adhemerval Zanella from comment #7)
> > > So the mprotect is essentially a hardening feature, assuming that the
> > > dynamic object padding/holes might contain gadgets.  It still does not
> > > happen for loader and main program itself, since normally they would be
> > > mapped by the kernel and its does do anything with holes,
> > 
> > There's no expectation that these are contiguous in memory, yes. Such an
> > expectation exists for shared objects loaded by glibc.
> 
> Right, but my point is if this is a hardening feature that glibc aims to
> provide it does not help if the kernel still does not provide it for the
> loader (if this is built with a different page size) and the main program
> itself. Should we push for kernel to implement a similar handling?
> 
> And the holes seem to be always from the initial read-only segment, which
> makes the whole gadget avoidance argument moot. This would make sense back
> when RELRO was not wildly used/deployed (even with the current somewhat
> broken status), but it still does not make much sense to me.
> 
> > 
> > > and IMHO it should
> > > up to the static linker to fill the padding with NOP/trap instruction to
> > > avoid such issues. 


Hi folks,

I was wondering if this is really a security feature or rather a result of how
the original VA space is reserved (split VMAs from the original mapping).

AIUI if the runtime-page-size equals the max-page-size, the holes are also
mapped in as part of the segment mapping and share the same permissions. Does
this mean that on such systems, any protection it offers becomes void?

Sorry if dumb questions (I'm not too familiar with this area)

Thanks,
Kalesh


> > 
> > That requires padding to the maximum page size on disk, though.
> 
> But this is what binutils does [1], and while not being optimized it seems
> that it would be somewhat hard to fix it (at least with Fangrui Song
> suggestion).
> 
> [1] https://sourceware.org/bugzilla/show_bug.cgi?id=30612

-- 
You are receiving this mail because:
You are on the CC list for the bug.