134003 – Vtablefactory violates W^X security principle

Bug 134003 - Vtablefactory violates W^X security principle

Summary: Vtablefactory violates W^X security principle

Status:	RESOLVED INSUFFICIENTDATA

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	framework (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-06-15 15:40 UTC by Andi Kleen
Modified:	2022-06-23 03:49 UTC (History)
CC List:	3 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andi Kleen 2020-06-15 15:40:24 UTC

(not sure if this is the right component)


W^X is a security principle that means that applications should never have pages that are both writable and executables. Not having that makes it harder to write exploits because they cannot inject their own code.

See also https://en.wikipedia.org/wiki/W%5EX

I was looking for applications that violated that and libreoffice processes always have a few rwx pages

(grep rwx /proc/$PID/maps)

Some debugging with gdb found:

#0  0x00007ffff44378b0 in mprotect () at /lib64/libc.so.6
#1  0x00007ffff0872db1 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#2  0x00007ffff456919c in rtl_arena_alloc () at /usr/lib64/libreoffice/program/libuno_sal.so.3
#3  0x00007ffff0872fb3 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#4  0x00007ffff0873546 in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#5  0x00007ffff0873a7e in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#6  0x00007ffff08749fb in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#7  0x00007ffff0871d7f in  () at /usr/lib64/libreoffice/program/libgcc3_uno.so
#8  0x00007ffff26f03c2 in cppu::throwException(com::sun::star::uno::Any const&) () at /usr/lib64/libreoffice/program/libuno_cppuhelpergcc3.so.3
#9  0x00007ffff68e74ab in ucbhelper::cancelCommandExecution(com::sun::star::ucb::IOErrorCode, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandProcessor> const&) () at /usr/lib64/libreoffice/program/libmergedlo.so


Looking at the code I found allocExec()

https://github.com/LibreOffice/core/blob/2c366aae9263dc4115b054fe74b90cabea61fa0b/bridges/source/cpp_uno/shared/vtablefactory.cxx#L60

I guess the interface should be changed to either write to the vtable or execute it, but not both at the same time.

Comment 1 Julien Nabet 2020-06-15 16:23:27 UTC

Stephan: thought you might be interested in this one since it concerns "bridges" part

Comment 2 Stephan Bergmann 2020-06-16 07:13:27 UTC

You do not state your operating system or the provenance of your LibreOffice installation at /usr/lib64/libreoffice/.  I'll assume some Linux distribution.  (Or, for that matter, any other environment that defines USE_DOUBLE_MMAP in bridges/inc/vtablefactory.hxx.)

The behavior you observe is a consequence of <https://git.libreoffice.org/core/+/8b9968a26265facaf5e761485d750ce9cedab3ab%5E!/> "fdo#72755: Only use double mmap as fallback" fixing bug 72755.  The code now first tries to create an anonymous memory area that is both writeable and executable, and only if that fails (because it is prohibited by the system's security settings) does it fall back to a shared memory area that is mmap'ed once as writeable and once as executable.

Comment 3 Andi Kleen 2020-06-16 14:30:03 UTC

> You do not state your operating system or the provenance of your LibreOffice  
> installation at /usr/lib64/libreoffice/.  I'll assume some Linux distribution.
> (Or, for that matter, any other environment that defines USE_DOUBLE_MMAP in   
> bridges/inc/vtablefactory.hxx.)                                               

It was a recent opensuse version.

libreoffice-6.4.4.2-1.1.x86_64

>                                                                               
> The behavior you observe is a consequence of                                  
>                                                                               
+<https://git.libreoffice.org/core/+/8b9968a26265facaf5e761485d750ce9cedab3ab%5E
+!/>                                                                            
> "fdo#72755: Only use double mmap as fallback" fixing bug 72755.  The code now 
> first tries to create an anonymous memory area that is both writeable and     
> executable, and only if that fails (because it is prohibited by the system's  
> security settings) does it fall back to a shared memory area that is mmap'ed  
> once as writeable and once as executable.                                     

Well you shouldn't need a tmp file in any case. The protections
have nothing to do with that.

Just use normal anonymous memory, but mprotect it only to writable (but not executable) when you're actually writing, and then set it back to executable-but-not-writable again. That's how the standard dynamic linker handles PLTs.

Of course you have to take care of multi threading races, but I assume you'll need that anyways for any safe vtable patching.

Comment 4 Julien Nabet 2020-06-17 20:33:53 UTC

Andi: I'm not able to judge what you propose but if interested, perhaps you may propose a patch after having following this page:
https://wiki.documentfoundation.org/Development/GetInvolved
?

Comment 5 Xisco Faulí 2021-11-23 10:44:32 UTC

Hello Andi,
Could you please try to reproduce it with the latest version of LibreOffice from https://www.libreoffice.org/download/libreoffice-fresh/ ?
I have set the bug's status to 'NEEDINFO'. Please change it back to 'UNCONFIRMED' if the bug is still present in the latest version.

Comment 6 QA Administrators 2022-05-23 03:39:01 UTC Comment hidden (obsolete)

Dear Andi Kleen,

This bug has been in NEEDINFO status with no change for at least
6 months. Please provide the requested information as soon as
possible and mark the bug as UNCONFIRMED. Due to regular bug
tracker maintenance, if the bug is still in NEEDINFO status with
no change in 30 days the QA team will close the bug as INSUFFICIENTDATA
due to lack of needed information.

For more information about our NEEDINFO policy please read the
wiki located here:
https://wiki.documentfoundation.org/QA/Bugzilla/Fields/Status/NEEDINFO

If you have already provided the requested information, please
mark the bug as UNCONFIRMED so that the QA team knows that the
bug is ready to be confirmed.
 
Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

MassPing-NeedInfo-Ping

Comment 7 QA Administrators 2022-06-23 03:49:18 UTC

Dear Andi Kleen,

Please read this message in its entirety before proceeding.

Your bug report is being closed as INSUFFICIENTDATA due to inactivity and
a lack of information which is needed in order to accurately
reproduce and confirm the problem. We encourage you to retest
your bug against the latest release. If the issue is still
present in the latest stable release, we need the following
information (please ignore any that you've already provided):

a) Provide details of your system including your operating
   system and the latest version of LibreOffice that you have
   confirmed the bug to be present

b) Provide easy to reproduce steps – the simpler the better

c) Provide any test case(s) which will help us confirm the problem

d) Provide screenshots of the problem if you think it might help

e) Read all comments and provide any requested information

Once all of this is done, please set the bug back to UNCONFIRMED
and we will attempt to reproduce the issue. Please do not:

a) respond via email 

b) update the version field in the bug or any of the other details
   on the top section of our bug tracker

Warm Regards,
QA Team

MassPing-NeedInfo-FollowUp