| From: |
| Daniel Colascione <dancol-AT-dancol.org> |
| To: |
| Paul Eggert <eggert-AT-cs.ucla.edu> |
| Subject: |
| Re: Preview: portable dumper |
| Date: |
| Tue, 29 Nov 2016 13:50:26 -0800 |
| Message-ID: |
| <r025oa0y6jml.fsf@dancol.org> |
| Cc: |
| emacs-devel-AT-gnu.org |
On Tue, Nov 29 2016, Paul Eggert wrote:
> On 11/29/2016 01:19 PM, Daniel Colascione wrote:
>> Even*with* a PIC Emacs (which I hope is the default, because ASLR
>> greatly improves security), we can get these savings if
>> mmap(BASE_ADDRESS_STORED_IN_DUMP, ...) succeeds and we can map the dump
>> where we want. If we can't map the dump where we want, we'll just
>> relocate it.
>
> Although your other advantages sound good, this one sounds
> worrisome. If Emacs maps the dump to the same place every time, we are
> giving up ASLR for the dump itself, and won't that pose a potential
> security risk? If so, perhaps it would be better to not mmap to the
> base address stored in the dump (unless we can determine that ASLR is
> not in use, I suppose).
The Emacs dump isn't PROT_EXEC though. It's pure* data, and this
difference diminishes the risk considerably, I think. I'd at least like
to make this behavior a user option.
* We do store function pointers in the dump, and an attacker could
theoretically overwrite one of these to point where she wanted --- but
with all PROT_EXEC code in the process being randomized, where would
she point the function pointer that's under her control?
