Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UPX disables NX in Linux #81

Closed
ThinerDAS opened this issue Mar 31, 2017 · 0 comments
Closed

UPX disables NX in Linux #81

ThinerDAS opened this issue Mar 31, 2017 · 0 comments
Assignees
@jreiser
Milestone
v3.94

Comments

@ThinerDAS
Copy link

ThinerDAS commented Mar 31, 2017
edited
Loading

What's the problem (or question)?

When packing with upx in Linux, executables with their NX set failed to set NX when packed. That is, the stack/heap/etc. of an upx-packed executable are always executable(PROT_READ implies PROT_EXEC in mmap).

What should have happened?

An executable with GNU_STACK in its program header (implying that the kernel should unset READ_IMPLIES_EXEC for the executable), when packed, should keep their stack+heap+bss not executable.

Do you have an idea for a solution?

Preserve the personality() ..?

How can we reproduce the issue?

Fairly easy. Following steps are self-explanatory.
(Tested on Ubuntu 16.04)

$ cp /bin/cat .
$ ~/Source/upx-3.92-amd64_linux/upx cat 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2016
UPX 3.92        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 11th 2016

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     52080 ->     23264   44.67%   linux/amd64   cat                           

Packed 1 file.
$ cat /proc/self/maps
00400000-0040c000 r-xp 00000000 08:02 58720280                           /bin/cat
0060b000-0060c000 r--p 0000b000 08:02 58720280                           /bin/cat
0060c000-0060d000 rw-p 0000c000 08:02 58720280                           /bin/cat
01896000-018b7000 rw-p 00000000 00:00 0                                  [heap]
7f74015c2000-7f7401a4d000 r--p 00000000 08:02 115870539                  /usr/lib/locale/locale-archive
7f7401a4d000-7f7401c0c000 r-xp 00000000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7401c0c000-7f7401e0c000 ---p 001bf000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7401e0c000-7f7401e10000 r--p 001bf000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7401e10000-7f7401e12000 rw-p 001c3000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7f7401e12000-7f7401e16000 rw-p 00000000 00:00 0 
7f7401e16000-7f7401e3c000 r-xp 00000000 08:02 20447426                   /lib/x86_64-linux-gnu/ld-2.23.so
7f740200e000-7f7402011000 rw-p 00000000 00:00 0 
7f7402017000-7f740203b000 rw-p 00000000 00:00 0 
7f740203b000-7f740203c000 r--p 00025000 08:02 20447426                   /lib/x86_64-linux-gnu/ld-2.23.so
7f740203c000-7f740203d000 rw-p 00026000 08:02 20447426                   /lib/x86_64-linux-gnu/ld-2.23.so
7f740203d000-7f740203e000 rw-p 00000000 00:00 0 
7ffe9b66e000-7ffe9b68f000 rw-p 00000000 00:00 0                          [stack]
7ffe9b69c000-7ffe9b69e000 r--p 00000000 00:00 0                          [vvar]
7ffe9b69e000-7ffe9b6a0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
$ ./cat /proc/self/maps
00400000-0040c000 r-xp 00000000 00:00 0 
0040c000-0060b000 ---p 00000000 00:00 0 
0060b000-0060c000 r-xp 00000000 00:00 0 
0060c000-0060d000 rwxp 00000000 00:00 0 
01247000-01268000 rwxp 00000000 00:00 0                                  [heap]
7fd785750000-7fd785bdb000 r-xp 00000000 08:02 115870539                  /usr/lib/locale/locale-archive
7fd785bdb000-7fd785bde000 rwxp 00000000 00:00 0 
7fd785bde000-7fd785d9d000 r-xp 00000000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd785d9d000-7fd785f9d000 ---p 001bf000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd785f9d000-7fd785fa1000 r-xp 001bf000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd785fa1000-7fd785fa3000 rwxp 001c3000 08:02 20447425                   /lib/x86_64-linux-gnu/libc-2.23.so
7fd785fa3000-7fd785fa7000 rwxp 00000000 00:00 0 
7fd785fad000-7fd785fd1000 rwxp 00000000 00:00 0 
7fd785fd1000-7fd785ff7000 r-xp 00000000 08:02 20447426                   /lib/x86_64-linux-gnu/ld-2.23.so
7fd785ff7000-7fd7861f6000 ---p 00000000 00:00 0 
7fd7861f6000-7fd7861f7000 r-xp 00025000 08:02 20447426                   /lib/x86_64-linux-gnu/ld-2.23.so
7fd7861f7000-7fd7861f8000 rwxp 00026000 08:02 20447426                   /lib/x86_64-linux-gnu/ld-2.23.so
7fd7861f8000-7fd7861f9000 rwxp 00000000 00:00 0 
7ffd4319f000-7ffd431c0000 rwxp 00000000 00:00 0                          [stack]
7ffd431f3000-7ffd431f5000 r--p 00000000 00:00 0                          [vvar]
7ffd431f5000-7ffd431f7000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
$

Please tell us details about your environment.

  • UPX version used (upx --version):

upx 3.92
NRV data compression library 0.84
UCL data compression library 1.03
zlib data compression library 1.2.3
LZMA SDK version 4.43
Copyright (C) 1996-2016 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2016 Laszlo Molnar
Copyright (C) 2000-2016 John F. Reiser
Copyright (C) 2002-2016 Jens Medoch
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
  • Operating System and version:

Ubuntu 16.04

  • CPU architecture:
$ uname -a
Linux [computer-name] 4.10.3-041003-generic #201703142331 SMP Wed Mar 15 03:32:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
jreiser added a commit that referenced this issue Apr 4, 2017
@jreiser
Elf propates NX via PT_GNU_STACK (except MIPS stub is too difficult f…
5da6a27 
…or now)

#81
	modified:   ../.github/travis_testsuite_1.sh
	modified:   p_elf_enum.h
	modified:   p_lx_elf.cpp
	modified:   p_lx_elf.h
	modified:   stub/amd64-linux.elf-entry.h
	modified:   stub/i386-linux.elf-fold.h
	modified:   stub/powerpc-linux.elf-fold.h
	modified:   stub/powerpc64le-linux.elf-fold.h
	modified:   stub/src/amd64-linux.elf-entry.S
	modified:   stub/src/i386-linux.elf-fold.S
	modified:   stub/src/powerpc-linux.elf-fold.S
	modified:   stub/src/powerpc64le-linux.elf-fold.S
	modified:   stub/tmp/amd64-linux.elf-entry.bin.dump
	modified:   stub/tmp/i386-linux.elf-fold.map
	modified:   stub/tmp/powerpc-linux.elf-fold.map
	modified:   stub/tmp/powerpc64le-linux.elf-fold.map
@jreiser jreiser closed this as completed Apr 4, 2017
@markus-oberhumer markus-oberhumer added this to the v3.94 milestone Apr 5, 2017
jreiser added a commit that referenced this issue Apr 6, 2017
@jreiser
Elf propagates NX via PT_GNU_STACK (except MIPS stub is too difficult…
a59005e 
… for now)

#81
	modified:   ../.github/travis_testsuite_1.sh
	modified:   p_elf_enum.h
	modified:   p_lx_elf.cpp
	modified:   p_lx_elf.h
	modified:   stub/amd64-linux.elf-entry.h
	modified:   stub/i386-linux.elf-fold.h
	modified:   stub/powerpc-linux.elf-fold.h
	modified:   stub/powerpc64le-linux.elf-fold.h
	modified:   stub/src/amd64-linux.elf-entry.S
	modified:   stub/src/i386-linux.elf-fold.S
	modified:   stub/src/powerpc-linux.elf-fold.S
	modified:   stub/src/powerpc64le-linux.elf-fold.S
	modified:   stub/tmp/amd64-linux.elf-entry.bin.dump
	modified:   stub/tmp/i386-linux.elf-fold.map
	modified:   stub/tmp/powerpc-linux.elf-fold.map
	modified:   stub/tmp/powerpc64le-linux.elf-fold.map
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jreiser jreiser

Labels
None yet
Projects
None yet
Milestone
v3.94
Development

No branches or pull requests
3 participants
@markus-oberhumer @ThinerDAS @jreiser