What does the "writable text segments" refer to in PaXTest?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

What does the "writable text segments" refer to in PaXTest?

Postby GBit » Tue Aug 13, 2013 6:25 pm

Code: Select all
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable stack (mprotect)              : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable

Code: Select all
Writable text segments                   : Vulnerable

Code: Select all
Anonymous mapping randomisation test     : 29 bits (guessed)
Heap randomisation test (ET_EXEC)        : 23 bits (guessed)
Heap randomisation test (PIE)            : 35 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 27 bits (guessed)
Shared library randomisation test        : 29 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 35 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 35 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 39 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 39 bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         :

Is this related to mprotect restrictions?
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: What does the "writable text segments" refer to in PaXTe

Postby PaX Team » Tue Aug 13, 2013 6:57 pm

did you read the readme?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: What does the "writable text segments" refer to in PaXTe

Postby GBit » Wed Aug 14, 2013 2:46 pm

Somehow that didn't occur to me lol

When an attacker can overwrite code, he can basically alter the
program while it runs. This test tries to do that.


So how would I prevent this? I don't see that in the readme.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: What does the "writable text segments" refer to in PaXTe

Postby PaX Team » Sat Aug 17, 2013 9:12 am

you'll need MPROTECT but that will take some effort in userland because some apps are not compatible with it (mostly runtime codegen).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: What does the "writable text segments" refer to in PaXTe

Postby GBit » Sat Aug 17, 2013 12:03 pm

Yeah, unfortunately it breaks X11 for me among other things. Thanks for the help.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm


Return to grsecurity support