On 29 Jan 2016 at 16:44, Alessandro Di Federico wrote: > On Thu, 28 Jan 2016 02:49:46 +0100 > "PaX Team" <pagee...@freemail.hu> wrote: > > > because it's a useless security measure. for a non-executable .rodata > > section to make any sense, the following condition would have to hold: > > > > a bug (or set of bugs) is exploitable if and only if .rodata is > > executable. > > > > nobody has ever shown that there exists such a bug (or set of bugs) > > and in fact there's ample evidence that already executable code > > contains all the necessary gadgets an exploit would need. > > With a dirty one-liner run in my `/usr/bin` I've found 956 MiB of .text > and 444 MiB of .rodata, this means about a third of the opportunities > of finding the right gadget.
all that is irrelevant i'm afraid. what matters is the simple condition above. do you know of any bugs that satisfy it? you see, you're asking for a change that has non-zero costs and for all we know, zero benefits. > Take a look at the following `readelf -l` of a `--rosegment` hello world > program: > > Program Headers: > Type Offset VirtAddr FileSiz MemSiz Flg Align > LOAD 0x000000 0x0000000000400000 0x00040d 0x00040d R E 0x1000 > LOAD 0x000410 0x0000000000401410 0x000318 0x000318 R 0x1000 > LOAD 0x000728 0x0000000000402728 0x000228 0x000229 RW 0x1000 > > The wasted disk space is practically zero, for a useless hello world. what is it for real apps? what is it when you page align section data that go into different segments? what fits in a single physical page above would end up in 2 or 3 pages, a 100% or 200% overhead if you really want to play this silly game. but before you care about the costs of --rosegment you should take a step back and demonstrate its non-zero benefits. > and there are 0x410 wasted bytes of memory due to `--rosegment` (the second > `PT_LOAD` is mapped at 0x401410), in addition to the 0x728 which are wasted > due to the RW segment. there's nothing wasted here, quite the opposite in fact, the linker was smart enough to pull 3 segments into one physical page which minimizes page cache waste on the kernel side and disk block usage on the filesystem side. > This means that `--rosegment` is a fully effective countermeasure only > if the `+x` segment is 0x1000 bytes large. you have yet to demonstrate that it's a countermeasure against anything ;).
