Stack-Smash Protector

Ian Molton spyro at f2s.com
Mon Sep 30 14:06:58 PDT 2002


On Mon, 30 Sep 2002 19:34:10 +0000 (UTC)
ivo at primerelay.net (Ivo Bitter) wrote:

> > I wonder if its possible to disable that in the kernel. shouldnt be
> > hard, even if there is no option...
> 
> The grsecurity patch (see www.grsecurity.net) has a non-executable
> stack option. I think the openwall patches have something similar for
> 2.2 kernels.

Erk. the cure sounds worse than the disease...

Quote below from the patch...

+  This will also break programs that rely on the old behaviour and
+  expect that dynamically allocated memory via the malloc() family
+  of functions is executable (which it is not).  Notable examples
+  are the XFree86 4.x server, the java runtime and wine.
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis.  chpax is available at
+  <http://pageexec.virtualave.net>
+
+Paging based non-executable pages
+CONFIG_GRKERNSEC_PAX_PAGEEXEC
+  This implementation is based on the paging feature of the CPU
+  and has a variable performance impact on applications depending
+  on their memory usage pattern.  You should carefully evaluate
+  your applications before using this feature in production.
+
+Segmentation based non-executable pages
+CONFIG_GRKERNSEC_PAX_SEGMEXEC
+  This implementation is based on the segmentation feature of the
+  CPU and has little performance impact, however applications will
+  be limited to a 1.5 GB address space instead of the normal 3 GB.
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list