grsecurity forums


https://forums.grsecurity.net./

What does the "writable text segments" refer to in PaXTest?

https://forums.grsecurity.net./viewtopic.php?f=3&t=3700

Page 1 of 1

What does the "writable text segments" refer to in PaXTest?

PostPosted: Tue Aug 13, 2013 6:25 pm
by GBit
Code: Select all
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable stack (mprotect)              : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable

Code: Select all
Writable text segments                   : Vulnerable

Code: Select all
Anonymous mapping randomisation test     : 29 bits (guessed)
Heap randomisation test (ET_EXEC)        : 23 bits (guessed)
Heap randomisation test (PIE)            : 35 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 27 bits (guessed)
Shared library randomisation test        : 29 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 35 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 35 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 39 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 39 bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         :

Is this related to mprotect restrictions?

Re: What does the "writable text segments" refer to in PaXTe

PostPosted: Tue Aug 13, 2013 6:57 pm
by PaX Team
did you read the readme?

Re: What does the "writable text segments" refer to in PaXTe

PostPosted: Wed Aug 14, 2013 2:46 pm
by GBit
Somehow that didn't occur to me lol

When an attacker can overwrite code, he can basically alter the
program while it runs. This test tries to do that.


So how would I prevent this? I don't see that in the readme.

Re: What does the "writable text segments" refer to in PaXTe

PostPosted: Sat Aug 17, 2013 9:12 am
by PaX Team
you'll need MPROTECT but that will take some effort in userland because some apps are not compatible with it (mostly runtime codegen).

Re: What does the "writable text segments" refer to in PaXTe

PostPosted: Sat Aug 17, 2013 12:03 pm
by GBit
Yeah, unfortunately it breaks X11 for me among other things. Thanks for the help.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/