[Libreoffice-bugs] [Bug 134003] New: Vtablefactory violates W^X security principle

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Mon Jun 15 15:40:24 UTC 2020 

https://bugs.documentfoundation.org/show_bug.cgi?id=134003

            Bug ID: 134003
           Summary: Vtablefactory violates W^X security principle
           Product: LibreOffice
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: framework
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: libre at halobates.de

(not sure if this is the right component)


W^X is a security principle that means that applications should never have
pages that are both writable and executables. Not having that makes it harder
to write exploits because they cannot inject their own code.

See also https://en.wikipedia.org/wiki/W%5EX

I was looking for applications that violated that and libreoffice processes
always have a few rwx pages

(grep rwx /proc/$PID/maps)

Some debugging with gdb found:

#0  0x00007ffff44378b0 in mprotect () at /lib64/libc.so.6
#1  0x00007ffff0872db1 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#2  0x00007ffff456919c in rtl_arena_alloc () at
/usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007ffff0872fb3 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#4  0x00007ffff0873546 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#5  0x00007ffff0873a7e in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#6  0x00007ffff08749fb in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#7  0x00007ffff0871d7f in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#8  0x00007ffff26f03c2 in cppu::throwException(com::sun::star::uno::Any const&)
() at /usr/lib64/libreoffice/program/libuno_cppuhelpergcc3.so.3
#9  0x00007ffff68e74ab in
ucbhelper::cancelCommandExecution(com::sun::star::ucb::IOErrorCode,
com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&,
com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment>
const&, rtl::OUString const&,
com::sun::star::uno::Reference<com::sun::star::ucb::XCommandProcessor> const&)
() at /usr/lib64/libreoffice/program/libmergedlo.so


Looking at the code I found allocExec()

https://github.com/LibreOffice/core/blob/2c366aae9263dc4115b054fe74b90cabea61fa0b/bridges/source/cpp_uno/shared/vtablefactory.cxx#L60

I guess the interface should be changed to either write to the vtable or
execute it, but not both at the same time.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200615/d3b2fac2/attachment.htm>

More information about the Libreoffice-bugs mailing list