[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] oslib-posix: New qemu_alloc_stack() to allocate
From: |
Richard Henderson |
Subject: |
Re: [Qemu-devel] [PATCH] oslib-posix: New qemu_alloc_stack() to allocate stack with correct perms |
Date: |
Fri, 17 Jun 2016 09:12:16 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 |
On 06/17/2016 07:11 AM, Peter Maydell wrote:
> Some architectures require the stack to be executable; notably
> this includes MIPS, because the kernel's floating point emulator
> may try to put trampoline code on the stack to handle some cases.
> (See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815409
> for an example of this causing QEMU to crash.)
>
> Create a utility function qemu_alloc_stack() which allocates a
> block of memory for use as a stack with the correct permissions.
> Since we would prefer to make the stack non-executable if we can
> as a defence against code execution exploits, we detect whether
> the existing stack is mapped executable. Unfortunately this
> requires us to grovel through /proc/self/maps to determine the
> permissions on it.
>
> Signed-off-by: Peter Maydell <address@hidden>
> ---
> This method of figuring out the correct perms for the stack is
> not exactly pretty; better suggestions welcome.
>
> NB that this utility function also gives us a handy place to put
> code for allocating a guard page at the bottom of the stack, or
> mapping it as MAP_GROWSDOWN, or whatever.
...
> + /* Some architectures (notably MIPS) require an executable stack, but
> + * we would prefer to avoid making the stack executable unnecessarily,
> + * to defend against code execution exploits.
> + * Check whether the current stack is executable, and follow its lead.
> + * Unfortunately to do this we have to wade through /proc/self/maps
> + * looking for the stack memory. We default to assuming we need an
> + * executable stack and remove the permission only if we can successfully
> + * confirm that non-executable is OK.
> + */
> +
> + prot = PROT_READ | PROT_WRITE | PROT_EXEC;
...
> +#else
> +static int stack_prot(void)
> +{
> + /* Assume an executable stack is needed, since we can't detect it. */
> + return PROT_READ | PROT_WRITE | PROT_EXEC;
> +}
> +#endif
What about using dl_iterate_phdr, looking for PT_GNU_STACK?
That interface is present on a few other hosts besides Linux.
But really this is a place that I'd much rather fall back to an ifdef ladder
than assume executable permission is required.
r~