[Libreoffice-bugs] [Bug 134003] Vtablefactory violates W^X security principle
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Tue Jun 16 14:30:03 UTC 2020
https://bugs.documentfoundation.org/show_bug.cgi?id=134003
--- Comment #3 from Andi Kleen <libre at halobates.de> ---
> You do not state your operating system or the provenance of your LibreOffice
> installation at /usr/lib64/libreoffice/. I'll assume some Linux distribution.
> (Or, for that matter, any other environment that defines USE_DOUBLE_MMAP in
> bridges/inc/vtablefactory.hxx.)
It was a recent opensuse version.
libreoffice-6.4.4.2-1.1.x86_64
>
> The behavior you observe is a consequence of
>
+<https://git.libreoffice.org/core/+/8b9968a26265facaf5e761485d750ce9cedab3ab%5E
+!/>
> "fdo#72755: Only use double mmap as fallback" fixing bug 72755. The code now
> first tries to create an anonymous memory area that is both writeable and
> executable, and only if that fails (because it is prohibited by the system's
> security settings) does it fall back to a shared memory area that is mmap'ed
> once as writeable and once as executable.
Well you shouldn't need a tmp file in any case. The protections
have nothing to do with that.
Just use normal anonymous memory, but mprotect it only to writable (but not
executable) when you're actually writing, and then set it back to
executable-but-not-writable again. That's how the standard dynamic linker
handles PLTs.
Of course you have to take care of multi threading races, but I assume you'll
need that anyways for any safe vtable patching.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200616/cef0ffa7/attachment.htm>
More information about the Libreoffice-bugs
mailing list