From: Ingo Molnar <mingo@redhat.com>
To: linux-kernel@vger.kernel.org
Subject: [patch] exec-shield-2.4.21-rc1-C5
Date: Mon, 5 May 2003 12:20:21 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44.0305050632590.552-100000@devserv.devel.redhat.com> (raw)
In-Reply-To: <Pine.LNX.4.44.0305021217090.17548-100000@devserv.devel.redhat.com>
a new (-C5) release of the exec-shield patch can be found at:
http://redhat.com/~mingo/exec-shield/exec-shield-2.4.21-rc1-C5
Changes since -B6:
- removed the X_workaround - chstk can be used for equivalent
functionality. (issue raised by Yoav Weiss)
- increase SHLIB_BASE from 1MB to 1MB + 64KB, suggested by Alexandre
Julliard, to fix DOS loaders.
- fix Pentium/i386 compilation failure in fault.c. (reported by Johannes
Walch)
- fix signal return bug, found by pageexec@freemail.hu.
- shared library address randomization, both within and outside the
ASCII-shield. This should make remote attacks a little bit more
difficult.
- process stack randomization. A number of other patches did this as
well, it generally helps. (There's no memory wasted because the stack
area left out will simply not be paged in.)
- turn off shlib relocation if the stack is executable. This is needed
for Wine, qemu and other apps that need the low memory range.
- do not show the wchan field of non-owned processes, and do not show the
maps file either. This should make it a little bit harder to guess
library locations for local attackers.
most of the new stuff in this patch (randomization, information filtering)
has been done in other patches as well (such as PaX, grsecurity, non-exec
stack patch, etc.) - i tried to filter out and add the ones that matter
most, do not introduce constraints and are thus uncontroversial.
bug reports, suggestions welcome.
Ingo
prev parent reply other threads:[~2003-05-05 16:07 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-02 16:37 [Announcement] "Exec Shield", new Linux security feature Ingo Molnar
2003-05-02 17:05 ` Matthias Andree
2003-05-02 17:12 ` Marc-Christian Petersen
2003-05-02 17:12 ` Davide Libenzi
2003-05-02 17:18 ` Arjan van de Ven
2003-05-02 17:32 ` Ingo Molnar
2003-05-02 18:29 ` John Bradford
2003-05-02 18:32 ` H. Peter Anvin
2003-05-02 19:09 ` David Mosberger
2003-05-02 18:51 ` Davide Libenzi
[not found] ` <20030502172011$0947@gated-at.bofh.it>
2003-05-02 18:17 ` Florian Weimer
2003-05-02 18:29 ` Davide Libenzi
2003-05-02 18:32 ` Florian Weimer
2003-05-02 18:50 ` Davide Libenzi
2003-05-02 21:48 ` Carl-Daniel Hailfinger
2003-05-03 6:52 ` Ingo Molnar
2003-05-03 9:56 ` Carl-Daniel Hailfinger
2003-05-03 12:48 ` Arjan van de Ven
2003-05-04 6:52 ` Calin A. Culianu
2003-05-04 8:10 ` Ingo Molnar
2003-05-04 8:52 ` Ingo Molnar
2003-05-04 15:40 ` Calin A. Culianu
2003-05-04 15:48 ` Sean Neakums
2003-05-04 15:23 ` Calin A. Culianu
2003-05-04 20:07 ` H. Peter Anvin
2003-05-04 20:57 ` Kasper Dupont
2003-05-05 16:20 ` Ingo Molnar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44.0305050632590.552-100000@devserv.devel.redhat.com \
--to=mingo@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).