[LTP] [PATCH v2] mprotect04: Support execute-only page access permissions
Daniel Mentz
danielmentz@google.com
Thu Feb 21 21:43:48 CET 2019
On Thu, Feb 21, 2019 at 7:01 AM Will Deacon <will.deacon@arm.com> wrote:
> On Wed, Feb 20, 2019 at 03:59:57PM +0800, Li Wang wrote:
> > On Wed, Feb 20, 2019 at 8:21 AM Daniel Mentz <danielmentz@google.com>
> wrote:
> > No, execute-only page access permissions don't need any special
> > configuration. They have been introduced by the following commit:
> >
> > "arm64: Introduce execute-only page access permissions"
> >
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?
> > id=cab15ce604e550020bb7115b779013b91bcdbc21
> >
> > /proc//maps for my mprotect04 executable looks as follows:
> >
> > 6458f5e000-6458f62000 r--p 00000000 fd:06 11691
> /
> > data/local/tmp/mprotect04
> > 6458f62000-6458f67000 --xp 00004000 fd:06 11691
> /
> > data/local/tmp/mprotect04
> > 6458f67000-6458f6a000 rw-p 00009000 fd:06 11691
> /
> > data/local/tmp/mprotect04
> > 6458f6a000-6458f6d000 rw-p 00000000 00:00 0
> > 70c5cc0000-70c5d11000 ---p 00000000 00:00 0
> >
> > The notable difference are the access permissions of the second VMA
> which
> > are "--xp". In your case, the permissions were "r-xp", hence reading
> was
> > allowed in addition to execution. I should also note that most other
> > binaries on my device like /system/bin/sh don't have the execute-only
> > mapping "--xp". Instead, they only have an "r-xp" VMA like your
> mprotect04.
> > In the end, I couldn't find out why there's a difference. Objdump and
> > readelf both show that the respective segment is execute-only, but
> it's
> > somehow still mapped readable and executable:
> >
> >
> > Not sure if that's a issue or intentional in design, Cc'ing Deacon and
> Catalin
> > to have look.
>
> I suspect this depends on the flags that are emitted in the program header
> by your compiler. What does objdump -p say for your binary?
>
>
Not sure if this question was meant for Li or me.
On my system, the objdump output looks as follows:
$ objdump -p out/target/product/crosshatch/system/bin/sh
out/target/product/crosshatch/system/bin/sh: file format
elf64-littleaarch64
Program Header:
PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr
0x0000000000000040 align 2**3
filesz 0x0000000000000230 memsz 0x0000000000000230 flags r--
INTERP off 0x0000000000000270 vaddr 0x0000000000000270 paddr
0x0000000000000270 align 2**0
filesz 0x0000000000000015 memsz 0x0000000000000015 flags r--
LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr
0x0000000000000000 align 2**12
filesz 0x0000000000009f94 memsz 0x0000000000009f94 flags r--
LOAD off 0x000000000000a000 vaddr 0x000000000000a000 paddr
0x000000000000a000 align 2**12
filesz 0x000000000003a450 memsz 0x000000000003a450 flags --x
LOAD off 0x0000000000045000 vaddr 0x0000000000045000 paddr
0x0000000000045000 align 2**12
filesz 0x00000000000025f0 memsz 0x0000000000004cc8 flags rw-
DYNAMIC off 0x0000000000046e80 vaddr 0x0000000000046e80 paddr
0x0000000000046e80 align 2**3
filesz 0x0000000000000200 memsz 0x0000000000000200 flags rw-
RELRO off 0x0000000000046000 vaddr 0x0000000000046000 paddr
0x0000000000046000 align 2**0
filesz 0x00000000000015f0 memsz 0x0000000000002000 flags r--
EH_FRAME off 0x0000000000005498 vaddr 0x0000000000005498 paddr
0x0000000000005498 align 2**2
filesz 0x0000000000000d64 memsz 0x0000000000000d64 flags r--
STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr
0x0000000000000000 align 2**0
filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
NOTE off 0x0000000000000288 vaddr 0x0000000000000288 paddr
0x0000000000000288 align 2**2
filesz 0x0000000000000038 memsz 0x0000000000000038 flags r--
The second "LOAD" segment is defined with "flags --x". After looking at the
kernel source file fs/binfmt_elf.c, my understanding is that this should
translate into a VMA that is mapped execute-only. However, when looking at
/proc//maps, the corresponding VMA is mapped "read and execute". I couldn't
find out why there's a discrepancy. A different binary i.e. mprotect04
looked similar in "objdump -p", but its code segment got indeed mapped
execute-only. I currently don't have the objdump output for that binary,
but I can get it if needed. To conclude, I noticed that ELF segments marked
as "--x" are sometimes mapped execute-only and sometimes read-and-execute.
We are using an Android kernel based on Linux 4.9.153
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20190221/f501e654/attachment.html>
More information about the ltp
mailing list