noexec doesn't apply on 32-bit AMD64
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-source-2.6.19 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: linux-source-2.6.19
The Linux kernel is supposed to enforce PROT_EXEC properly by default on any system with a hardware NX bit. The Athlon 64 has such a hardware bit; but it is not enforcing it.
I'm running on an Athlon 64 in 32-bit mode, running 32-bit Ubuntu with kernel 2.6.19 (mostly Feisty). Apparently, 'noexec=on' on the kernel command line does nothing; the NX bit seems to not work. This is contradictory with the kernel Documentation.
Chunk of my /proc/cpuinfo showing NX capability:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext lm 3dnowext 3dnow up ts fid vid ttp
I will attach a test program that attempts to disable PROT_EXEC for a page of memory containing (I believe) the entry point of a function. It's compiled as such:
$ gcc -O2 -shared -fpic test_so.c -o test_so.so
$ gcc -O2 test.c -o test -ldl
Running it on AMD64-ubuntu gives the following output:
$ ./test
Test function run successfully!
Segmentation fault
This is good; I tried to execute non-executable memory, it segfaulted. However, 32-bit Ubuntu on the Athlon64 gives the following:
$ ./test
Test function run successfully!
Test function run successfully!
Apparently noexec is not being honored.
This seems to affect Dapper as well with 2.6.15; edgy is probably also affected, but I Haven't tested 2.6.17.
This source file generates a shared object for the test program. This shared object is abused by the test program; it is protected non-executable before the second call is made.
Compiled by:
$ gcc -O2 -shared -fpic test_so.c -o test_so.so