<html>
    <head>
      <base href="https://bugs.documentfoundation.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_UNCONFIRMED "
   title="UNCONFIRMED - Vtablefactory violates W^X security principle"
   href="https://bugs.documentfoundation.org/show_bug.cgi?id=134003">134003</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Vtablefactory violates W^X security principle
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>LibreOffice
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>UNCONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>framework
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>libreoffice-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>libre@halobates.de
          </td>
        </tr></table>
      <p>
        <div>
        <pre>(not sure if this is the right component)


W^X is a security principle that means that applications should never have
pages that are both writable and executables. Not having that makes it harder
to write exploits because they cannot inject their own code.

See also <a href="https://en.wikipedia.org/wiki/W%5EX">https://en.wikipedia.org/wiki/W%5EX</a>

I was looking for applications that violated that and libreoffice processes
always have a few rwx pages

(grep rwx /proc/$PID/maps)

Some debugging with gdb found:

#0  0x00007ffff44378b0 in mprotect () at /lib64/libc.so.6
#1  0x00007ffff0872db1 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#2  0x00007ffff456919c in rtl_arena_alloc () at
/usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007ffff0872fb3 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#4  0x00007ffff0873546 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#5  0x00007ffff0873a7e in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#6  0x00007ffff08749fb in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#7  0x00007ffff0871d7f in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#8  0x00007ffff26f03c2 in cppu::throwException(com::sun::star::uno::Any const&)
() at /usr/lib64/libreoffice/program/libuno_cppuhelpergcc3.so.3
#9  0x00007ffff68e74ab in
ucbhelper::cancelCommandExecution(com::sun::star::ucb::IOErrorCode,
com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&,
com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment>
const&, rtl::OUString const&,
com::sun::star::uno::Reference<com::sun::star::ucb::XCommandProcessor> const&)
() at /usr/lib64/libreoffice/program/libmergedlo.so


Looking at the code I found allocExec()

<a href="https://github.com/LibreOffice/core/blob/2c366aae9263dc4115b054fe74b90cabea61fa0b/bridges/source/cpp_uno/shared/vtablefactory.cxx#L60">https://github.com/LibreOffice/core/blob/2c366aae9263dc4115b054fe74b90cabea61fa0b/bridges/source/cpp_uno/shared/vtablefactory.cxx#L60</a>

I guess the interface should be changed to either write to the vtable or
execute it, but not both at the same time.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>