grsecurity forums

On a X86 P4 gentoo system running 2.6.34-hardened-r1 configured not to emulate elf trampolins, I wondered about the behavious of paxctl -z. Why EMUTRAMP changes state after running paxctl -z?

Code: Select all

echo "void main(){}" |gcc -x c -  -o test
paxctl -v test
paxctl -z test
paxctl -v test


This script produces the following output:

PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [test]
RANDEXEC is disabled
EMUTRAMP is disabled

PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x---- [test]
RANDEXEC is disabled

Here is the PaX related kernel config

Code: Select all

CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_MODULE_TEXT=4

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y


Hugo Mildenberger wrote:On a X86 P4 gentoo system running 2.6.34-hardened-r1 configured not to emulate elf trampolins, I wondered about the behavious of paxctl -z. Why EMUTRAMP changes state after running paxctl -z?

-z should zero out all bits in the PT_PAX_FLAGS header so the problem is actually not that EMUTRAMP has changed but that RANDEXEC has not. since i couldn't reproduce this here, can you send me your paxctl binary please?

PaX Team wrote: -z should zero out all bits in the PT_PAX_FLAGS header so the problem is actually not that EMUTRAMP has changed but that RANDEXEC has not. since i couldn't reproduce this here, can you send me your paxctl binary please?

Will do. But then, if it was not the kernel as I thought before, is setting defaults for these flags? ld? And RANDEXEC somehow interfering without the kernel actually support it could well explain a good part of the problems I see with gdb. Strange.

Hi Hugo,

The PaX flags on your binary aren't an inconsistency. The paxctl binary recognized that the binary you were clearing flags on was a PIE binary, so it disabled RANDEXEC as RANDEXEC would not be needed for a PIE binary. Here's the relevant code from paxctl:

Code: Select all

253     if (ehdr->e_type == ET_DYN) {
254       phdr[pax_flags].p_flags &= ~((state->flags_off | PF_RANDEXEC) & (ElfW(Elf, _Word))~PF_NORANDEXEC);
255       phdr[pax_flags].p_flags |= (state->flags_on | PF_NORANDEXEC) & (ElfW(Elf, _Word))~PF_RANDEXEC;
256     } else {
257       phdr[pax_flags].p_flags &= ~state->flags_off;
258       phdr[pax_flags].p_flags |= state->flags_on;
259     }

-Brad