Page MenuHomeFreeBSD
Differential D24933

implement W^X for mmap and mprotect
AbandonedPublic
Actions

Authored by emaste on May 20 2020, 6:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 15, 2:40 AM
Unknown Object (File)
Oct 4 2024, 8:59 PM
Unknown Object (File)
Oct 1 2024, 6:42 PM
Unknown Object (File)
Oct 1 2024, 5:28 PM
Unknown Object (File)
Sep 29 2024, 2:20 AM
Unknown Object (File)
Sep 27 2024, 9:22 PM
Unknown Object (File)
Sep 26 2024, 2:06 AM
Unknown Object (File)
Sep 20 2024, 2:35 PM
View All 58 Files
Subscribers
cem
jhb
kd
kib
lwhsu
markj
mateusz_serveraptor.com
View All 9 Subscribers

Details

Reviewers
val_packett.cool
Summary

If sysctl vm.allow_wx = 0 then disallow prot with PROT_WRITE and PROT_EXECUTE both set, for mmap(2) and mprotect(2).

This is a naive implementation at the system call layer that enforces a restriction upon the application. We should move it at least one layer lower, but this can be used to identify and patch applications that create writable+executable mappings.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

emaste requested review of this revision.May 20 2020, 6:29 PM
emaste created this revision.
lwhsu added a subscriber: lwhsu.May 20 2020, 8:45 PM
kd added a subscriber: kd.May 21 2020, 3:30 PM
mateusz_serveraptor.com added a subscriber: mateusz_serveraptor.com.May 22 2020, 8:14 AM
val_packett.cool added a subscriber: val_packett.cool.Jun 8 2020, 1:34 PM
val_packett.cool added a comment.Sep 4 2020, 5:59 PM

So far, the only thing that doesn't work for me with W^X is GJS..

And looks like elfctl already has a NT_FREEBSD_FCTL_WXNEEDED flag, all that's needed is to store it in imgact_elf to some process-related location that could be accessed in these vm_mmap functions.

emaste updated this revision to Diff 76672.Sep 4 2020, 9:21 PM
emaste added subscribers: cem, jhb.

embiggen sysctl name as suggested by @cem and @jhb. "wx" might be taken to mean "W^X", i.e., that the sysctl enables the W xor X mode.

val_packett.cool commandeered this revision.Jan 4 2021, 5:02 PM
val_packett.cool updated this revision to Diff 81633.
val_packett.cool added a reviewer: emaste.

Added flag check (NT_FREEBSD_FCTL_WXNEEDED)

val_packett.cool mentioned this in D27953: rtld: When relocating, map without PROT_EXEC.Jan 4 2021, 5:44 PM
val_packett.cool added a child revision: D27953: rtld: When relocating, map without PROT_EXEC.
emaste added a subscriber: kib.Jan 4 2021, 7:04 PM
cem added inline comments.Jan 4 2021, 7:14 PM
sys/vm/vm_mmap.c
110–111

Probably just bool/SYSCTL_BOOL now.

kib added a comment.Jan 4 2021, 7:30 PM

syscall is the wrong level of supporting this stuff. It should be done somewhere in vm_map.c to catch all cases of mappings. In particular, a lot of drivers can do that.

sys/vm/vm_mmap.c
111

I would name it allow_wx or allow_wx_mappings, proposed name is impossible to type without autocompletion.

mw added a subscriber: mw.Jan 5 2021, 8:54 AM
markj added a subscriber: markj.Jan 8 2021, 4:32 PM
emaste edited the summary of this revision. (Show Details)Jan 8 2021, 7:04 PM
emaste commandeered this revision.Jan 8 2021, 7:07 PM
emaste updated this revision to Diff 81905.
emaste edited reviewers, added: val_packett.cool; removed: emaste.
emaste removed a subscriber: markj.
emaste added a subscriber: markj.
  • add flag check (NT_FREEBSD_FCTL_WXNEEDED) from Greg V
  • rename allow_wx per kib
  • bool per cem
jhb added a comment.Jan 8 2021, 10:07 PM

For mmap I think vm_mmap_object might the the right layer to do this that would catch all the cases @kib is worried about, and I think it just means moving the added lines there. mprotect() is probably fine as-is in this patch?

Have you written any tests for this? Those would be great to have and shouldn't be too hard to come up with?

kib mentioned this in D28050: Implement enforcing write XOR execute mapping policy..Jan 8 2021, 10:47 PM

See D28050

emaste abandoned this revision.Jan 10 2021, 3:48 PM

D28050 instead

Revision Contents
Changeset List

PathSize
sys/
vm/
16 lines

Diff 81633

View Options

sys/vm/vm_mmap.c

Loading...