为什么在mmap中PROT_READ等于PROT_EXEC [英] Why in mmap PROT_READ equals PROT_EXEC
问题描述
我尝试使用mmap函数分配一些具有只读访问权限的内存页.我打印了/proc/self/maps来检查内存保护是否正常工作.即使mmap的保护参数为PROT_READ
I tried to allocate some memory pages with read only access using mmap function. I printed /proc/self/maps to check if the memory protection was working. It showed like this even though the protection argument of mmap was PROT_READ
7fec0c585000-7fec0c785000 r-xp 00000000 00:00 0
这意味着当我要求内核分配一些只读内存页面时,它也会将它们也标记为可执行.
我做了一些其他的测试,我意识到当我要求一个只写页,PROT_WRITE而没有PROT_READ时,maps文件的输出如下:
I did some other test and I realized that when I ask for a write only pages,PROT_WRITE without PROT_READ, the output of maps file is like this:
7fec0c585000-7fec0c785000 -w-p 00000000 00:00 0
这意味着除了前面的示例之外,PROT_READ等效于PROT_EXEC
同时使用两个PROT_WRITE|PROT_READ调用mmap,也可以执行.
Calling mmap with both PROT_WRITE|PROT_READ, enables execution too.
我想知道是否有一种方法可以映射只读的无可执行内存的页面;还是一个读写但没有可执行文件的文件?
运行测试的计算机的信息:
Information of the computer where the test were run:
-
Linux Arch 4.1.6-1-ARCH#1 SMP PREEMPT Mon Aug 17 08:52:28 CEST 2015 x86_64 GNU/Linux
Linux Arch 4.1.6-1-ARCH #1 SMP PREEMPT Mon Aug 17 08:52:28 CEST 2015 x86_64 GNU/Linux
英特尔酷睿i5-2310,x86_64
Intel Core i5-2310, x86_64
推荐答案
经过研究,我意识到Linux仅在ELF程序头中包含GNU_STACK程序头时才激活内存保护.
内存保护是指使用处理器的NX位,因此可以将内存页面标记为不可执行.
After doing some research I realized that Linux only activates memory protection when a GNU_STACK program header is included in the ELF program headers.
By memory protection I mean the use of the NX bit of the processor, so memory pages can be marked as not executable.
据我了解,GNU_STACK程序标头旨在告诉内核您需要堆栈的某些特定属性,这些属性之一是不可执行的堆栈.看来,如果您不明确要求不可执行的堆栈,则标记为可读的所有ELF节也将是可执行的.并且所有使用mmap的内存映射都具有相同的行为.
For what I understand, GNU_STACK program header is designed to tell the kernel that you want some specific properties for the stack, one those properties is a non-executable stack. It appears that if you don't explicitly ask for a non-executable stack, all the ELF sections marked as readable will be executable too. And also all the memory mapping with mmap while have the same behavior.
遗憾的是,关于GNU_STACK功能的文档不足,并且mmap的文档未指定其与GNU_STACK的连接以启用执行保护.
Sadly there is no enough documentation on what GNU_STACK does, and the documentation of mmap doesn't specify its connection with GNU_STACK to enable execute protection.
参考文献:
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
这篇关于为什么在mmap中PROT_READ等于PROT_EXEC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
