Go Back   nV News Forums > Linux Support Forums > NVIDIA Linux

Newegg Daily Deals

Reply
 
Thread Tools
Old 02-06-05, 10:58 PM   #1
bluefoxicy
Registered User
 
Join Date: Feb 2005
Posts: 3
Arrow nVidia drivers + enhanced security

I'm using v1.0-6629 of the nVidia kernel and Xorg drivers. I'm tracking these against PaX, an executable space protection patch for Linux that greatly enhances security by taking memory protections a step further and making them a privileged resource managed in such a way that direct code injection can't happen.

A little background, originally the mprotect() function allows programmers to freely alter memory protections, allowing them to separate memory privileges and thus avoid security issues to a degree. PaX extends this by employing a policy in which memory resources are always created writable or executable, but never both. PaX also denies programs the privilege to add writability to executable segments, or to make non-executable segments executable, thus restricting the mprotect() function.

The administrator can mark programs to be exempted from the mprotect() restrictions; and PaX allows hooks for MAC systems such as SELinux and GrSecurity (which is built around PaX) to control restrictions as well. PaX also allows similar control over the enforcement of PROT_EXEC, emulation of nested functions, and randomization of the address space.

The reason I'm bringing this up here is that a very few pieces of code are currently inable to function under PaX due to poor programming practice or bad design. Some tasks by nature must be able to use mprotect() freely; but aside from realtime machine emulators, all other programming tasks (including Java and Mono) can be realisticly accomplished without generating code in memory at runtime.

PaX supplies the highest denomination of memory protections. Any code that runs in PaX will run on Exec Shield and vanilla Linux. This encompasses most code, with a few (about 20 I've found) notable exceptions that can easily be fixed, and a few special cases (vmware, qemu, bochs) where the protections simply should be disabled for the processes.

Unfortunately, x86 and x86-64/AMD64 nVidia GLX contains some code which triggers PaX. Without access to the source, the community cannot fix the code; however, by disabling randomization, I can trace the code to the mapping in glxgears in Ubuntu Hoary and get the address of the fault and the code being executed, which may help the nVidia developers track the problem down.

Below is the PaX log under those conditions.

Code:
glxgears[12427]: segfault at 0000002a957f0250 rip 0000002a957f0250 rsp 0000007fbfffe768 error 15
PAX: execution attempt in: /usr/lib/libGL.so.1.0.6629, 2a9576c000-2a957ff000 00000000
PAX: terminating task: /usr/X11R6/bin/glxgears(glxgears):12427, uid/euid: 1000/1000, PC: 0000002a957f0250, SP: 0000007fbfffe768
PAX: bytes at PC: 00000064 00000048 0000008b 00000004 00000025 00000090 000000ff 000000ff 000000ff 000000ff 000000a0 00000010 00000008 00000000 00000000 000000cc 000000cc 000000cc 000000cc 000000cc
Fixing this will fix a large chunk of incompatibilities, notably 3D games, Blender, and other GLX accelerated programs.
bluefoxicy is offline   Reply With Quote
Old 02-06-05, 10:59 PM   #2
bluefoxicy
Registered User
 
Join Date: Feb 2005
Posts: 3
Arrow nVidia drivers + enhanced security (cont.)

Another helpful note, nVidia's libGL seems to be aware of this. This problem should be easy to track down by tracking down the mprotect() calls in the code that use PROT_EXEC and eliminating whatever is requiring those calls, obsoleting those lines of code. An strace reveals that there may be many points where this is occurring:

Code:
bluefox@icebox:~$ strace glxgears 2>&1 | grep PROT_EXEC
mmap(NULL, 1653472, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf65a000
mmap(0x2faf75a000, 602112, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x2faf75a000
mmap(0x2faf7ed000, 2784, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2faf7ed000
mmap(NULL, 1081288, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf7ef000
mmap(NULL, 1114856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf8f7000
mmap(NULL, 1957184, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafa08000
mmap(NULL, 1129792, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafbe7000
mmap(NULL, 1596072, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafcfb000
mmap(NULL, 2354728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafe81000
mmap(NULL, 7854616, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb00c1000
mmap(NULL, 1050432, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb083f000
mmap(NULL, 1058728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb0940000
mmap(NULL, 1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf559000
mmap(NULL, 940, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1846000
mmap(NULL, 853, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1847000
mmap(NULL, 649, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1848000
mmap(NULL, 544, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1849000
mmap(NULL, 349, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184a000
mmap(NULL, 461, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184b000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184c000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184d000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184e000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184f000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1850000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1851000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1852000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1853000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1854000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1855000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1856000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1857000
mmap(NULL, 1256, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1858000
mmap(NULL, 1061, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1859000
mmap(NULL, 922, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185a000
mmap(NULL, 817, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185b000
mmap(NULL, 541, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185c000
mmap(NULL, 653, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185d000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185e000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185f000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1860000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1861000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1862000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1863000
mmap(NULL, 1238, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1864000
mmap(NULL, 1025, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1865000
mmap(NULL, 898, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1866000
mmap(NULL, 793, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1867000
mmap(NULL, 501, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1868000
mmap(NULL, 613, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1869000
mmap(NULL, 1388, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186a000
mmap(NULL, 1115, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186b000
mmap(NULL, 1030, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186c000
mmap(NULL, 925, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186d000
mmap(NULL, 597, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186e000
mmap(NULL, 709, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186f000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1870000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1871000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1872000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1873000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1874000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1875000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1876000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1877000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1878000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1879000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187a000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187b000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187c000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187d000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187e000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187f000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1880000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1881000
mmap(NULL, 1094, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1882000
mmap(NULL, 943, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1883000
mmap(NULL, 778, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1884000
mmap(NULL, 673, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1885000
mmap(NULL, 437, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1886000
mmap(NULL, 549, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1887000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1888000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1889000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188a000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188b000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188c000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188d000
mmap(NULL, 1088, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188e000
mmap(NULL, 931, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188f000
mmap(NULL, 770, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1890000
mmap(NULL, 665, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1891000
mmap(NULL, 415, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1892000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1893000
mmap(NULL, 1244, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1894000
mmap(NULL, 1037, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1895000
mmap(NULL, 906, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1896000
mmap(NULL, 801, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1897000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1898000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1899000
mmap(NULL, 1124, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189a000
mmap(NULL, 1007, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189b000
mmap(NULL, 878, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189c000
mmap(NULL, 773, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189d000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189e000
mmap(NULL, 623, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189f000
mmap(NULL, 952, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a0000
mmap(NULL, 877, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a1000
mmap(NULL, 693, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a2000
mmap(NULL, 588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a3000
mmap(NULL, 399, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a4000
mmap(NULL, 495, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a5000
Of course, once the protections are in place, the mappings are returned either PROT_READ|PROT_WRITE, or PROT_READ|PROT_EXEC, depending on the type of mapping. This means that the problem at hand is that no mapping should ever be both written to and executed during program run.
bluefoxicy is offline   Reply With Quote
Old 02-06-05, 11:00 PM   #3
bluefoxicy
Registered User
 
Join Date: Feb 2005
Posts: 3
Arrow nVidia drivers + enhanced security (cont.)

These appear to be libraries being mapped in, and are fine. The dynamic linker is most likely doing this.
Code:
mmap(NULL, 1653472, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf65a000
mmap(NULL, 1081288, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf7ef000
mmap(NULL, 1114856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf8f7000
mmap(NULL, 1957184, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafa08000
mmap(NULL, 1129792, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafbe7000
mmap(NULL, 1596072, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafcfb000
mmap(NULL, 2354728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafe81000
mmap(NULL, 7854616, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb00c1000
mmap(NULL, 1050432, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb083f000
mmap(NULL, 1058728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb0940000
These appear to be file-backed mappings that are made writable and executable, which of course doesn't happen under PaX; it only gives one or the other. Furthermore, these are mapped with MAP_FIXED and a specific offset, which is particularly dangerous as this can collide with ASLR. Finally, if an attacker was lucky enough to stumble upon a GL-using program that had a bug allowing remote arbitrary writes to memory (esp. a 3D game), this would provide an easy way to get around ASLR and find fertile ground to inject code.
Code:
mmap(0x2faf75a000, 602112, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x2faf75a000
mmap(0x2faf7ed000, 2784, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2faf7ed000
And finally, the below i can't tell what they're for. They appear to be file-backed mappings made writable and executable, but for what purpose I don't know.
Code:
mmap(NULL, 1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf559000
mmap(NULL, 940, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1846000
mmap(NULL, 853, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1847000
mmap(NULL, 649, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1848000
mmap(NULL, 544, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1849000
mmap(NULL, 349, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184a000
mmap(NULL, 461, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184b000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184c000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184d000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184e000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184f000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1850000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1851000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1852000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1853000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1854000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1855000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1856000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1857000
mmap(NULL, 1256, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1858000
mmap(NULL, 1061, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1859000
mmap(NULL, 922, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185a000
mmap(NULL, 817, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185b000
mmap(NULL, 541, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185c000
mmap(NULL, 653, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185d000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185e000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185f000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1860000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1861000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1862000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1863000
mmap(NULL, 1238, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1864000
mmap(NULL, 1025, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1865000
mmap(NULL, 898, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1866000
mmap(NULL, 793, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1867000
mmap(NULL, 501, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1868000
mmap(NULL, 613, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1869000
mmap(NULL, 1388, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186a000
mmap(NULL, 1115, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186b000
mmap(NULL, 1030, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186c000
mmap(NULL, 925, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186d000
mmap(NULL, 597, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186e000
mmap(NULL, 709, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186f000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1870000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1871000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1872000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1873000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1874000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1875000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1876000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1877000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1878000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1879000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187a000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187b000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187c000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187d000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187e000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187f000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1880000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1881000
mmap(NULL, 1094, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1882000
mmap(NULL, 943, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1883000
mmap(NULL, 778, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1884000
mmap(NULL, 673, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1885000
mmap(NULL, 437, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1886000
mmap(NULL, 549, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1887000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1888000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1889000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188a000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188b000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188c000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188d000
mmap(NULL, 1088, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188e000
mmap(NULL, 931, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188f000
mmap(NULL, 770, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1890000
mmap(NULL, 665, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1891000
mmap(NULL, 415, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1892000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1893000
mmap(NULL, 1244, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1894000
mmap(NULL, 1037, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1895000
mmap(NULL, 906, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1896000
mmap(NULL, 801, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1897000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1898000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1899000
mmap(NULL, 1124, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189a000
mmap(NULL, 1007, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189b000
mmap(NULL, 878, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189c000
mmap(NULL, 773, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189d000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189e000
mmap(NULL, 623, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189f000
mmap(NULL, 952, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a0000
mmap(NULL, 877, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a1000
mmap(NULL, 693, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a2000
mmap(NULL, 588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a3000
mmap(NULL, 399, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a4000
mmap(NULL, 495, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a5000
bluefoxicy is offline   Reply With Quote
Old 05-04-05, 06:02 PM   #4
bani
Registered User
 
Join Date: Aug 2004
Posts: 24
Default Re: nVidia drivers + enhanced security

nvidia's gl drivers make heavy use of selfmodifying code. it does this on win32 also, so i can only assume this is common code. ati's drivers dont do this. from what i recall looking at the selfmod code it is setting up some kind of function dispatch table. this can be done without selfmod code though, i can only assume nvidia is doing it for some small performance gain.

so the only solution with PAX is to either paxctl/chpax all the binaries which use libGL, or use ati instead. :/
bani is offline   Reply With Quote
Old 05-05-05, 02:56 AM   #5
Thunderbird
 
Join Date: Jul 2002
Location: Netherlands, Europe
Posts: 2,105
Default Re: nVidia drivers + enhanced security

Perhaps the dispatch table is the following. In case of the nvidia drivers on linux the 'real' opengl library is libGLcore.so. The library libGL.so is just a small wrapper that calls functions from libGLcore.so. Not sure why this is done but it might have something to do with sharing code between the windows and linux drivers. (libGLcore might contain platform-independant code)
Thunderbird is offline   Reply With Quote
Old 03-01-08, 01:16 PM   #6
kernelOfTruth
Gentoo Linux addict
 
Join Date: Nov 2007
Location: Vienna, Austria; Germany; hello world :)
Posts: 202
Default Re: nVidia drivers + enhanced security

*dig dig dig*

anyone got nvidia-drivers w. 3D acceleration (e.g. compiz) with grsecurity/pax working ?

I've read about that in gentoo-forums (a post from around 2 years ago)

many thanks in advance for your input

http://forums.gentoo.org/viewtopic-t-435668.html
kernelOfTruth is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
NVIDIA Drivers Receive Windows 8 Certification News Archived News Items 0 06-01-12 05:30 AM
Radeon 9700 not all that? sancheuz Other Desktop Graphics Cards 200 10-12-02 09:31 PM
Nvidia Stereo Drivers Soudontsay NVIDIA Windows Graphics Drivers 2 08-26-02 10:48 AM
nvidia drivers in a motherboard with AGP 1.0 (motherboard MVP3+) knocker NVIDIA Linux 1 08-19-02 01:57 AM
NVIDIA 2960 Drivers & RH 7.3 W/2.4.18-5 XASCompuGuy NVIDIA Linux 6 08-02-02 11:53 AM

All times are GMT -5. The time now is 12:37 AM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.