nVidia drivers + enhanced security

bluefoxicy · 02-06-05, 10:58 PM

I'm using v1.0-6629 of the nVidia kernel and Xorg drivers. I'm tracking these against PaX, an executable space protection patch for Linux that greatly enhances security by taking memory protections a step further and making them a privileged resource managed in such a way that direct code injection can't happen.

A little background, originally the mprotect() function allows programmers to freely alter memory protections, allowing them to separate memory privileges and thus avoid security issues to a degree. PaX extends this by employing a policy in which memory resources are always created writable or executable, but never both. PaX also denies programs the privilege to add writability to executable segments, or to make non-executable segments executable, thus restricting the mprotect() function.

The administrator can mark programs to be exempted from the mprotect() restrictions; and PaX allows hooks for MAC systems such as SELinux and GrSecurity (which is built around PaX) to control restrictions as well. PaX also allows similar control over the enforcement of PROT_EXEC, emulation of nested functions, and randomization of the address space.

The reason I'm bringing this up here is that a very few pieces of code are currently inable to function under PaX due to poor programming practice or bad design. Some tasks by nature must be able to use mprotect() freely; but aside from realtime machine emulators, all other programming tasks (including Java and Mono) can be realisticly accomplished without generating code in memory at runtime.

PaX supplies the highest denomination of memory protections. Any code that runs in PaX will run on Exec Shield and vanilla Linux. This encompasses most code, with a few (about 20 I've found) notable exceptions that can easily be fixed, and a few special cases (vmware, qemu, bochs) where the protections simply should be disabled for the processes.

Unfortunately, x86 and x86-64/AMD64 nVidia GLX contains some code which triggers PaX. Without access to the source, the community cannot fix the code; however, by disabling randomization, I can trace the code to the mapping in glxgears in Ubuntu Hoary and get the address of the fault and the code being executed, which may help the nVidia developers track the problem down.

Below is the PaX log under those conditions.

Code:

glxgears[12427]: segfault at 0000002a957f0250 rip 0000002a957f0250 rsp 0000007fbfffe768 error 15
PAX: execution attempt in: /usr/lib/libGL.so.1.0.6629, 2a9576c000-2a957ff000 00000000
PAX: terminating task: /usr/X11R6/bin/glxgears(glxgears):12427, uid/euid: 1000/1000, PC: 0000002a957f0250, SP: 0000007fbfffe768
PAX: bytes at PC: 00000064 00000048 0000008b 00000004 00000025 00000090 000000ff 000000ff 000000ff 000000ff 000000a0 00000010 00000008 00000000 00000000 000000cc 000000cc 000000cc 000000cc 000000cc

Fixing this will fix a large chunk of incompatibilities, notably 3D games, Blender, and other GLX accelerated programs.

bluefoxicy · 02-06-05, 10:59 PM

Another helpful note, nVidia's libGL seems to be aware of this. This problem should be easy to track down by tracking down the mprotect() calls in the code that use PROT_EXEC and eliminating whatever is requiring those calls, obsoleting those lines of code. An strace reveals that there may be many points where this is occurring:

Code:

bluefox@icebox:~$ strace glxgears 2>&1 | grep PROT_EXEC
mmap(NULL, 1653472, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf65a000
mmap(0x2faf75a000, 602112, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x2faf75a000
mmap(0x2faf7ed000, 2784, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2faf7ed000
mmap(NULL, 1081288, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf7ef000
mmap(NULL, 1114856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf8f7000
mmap(NULL, 1957184, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafa08000
mmap(NULL, 1129792, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafbe7000
mmap(NULL, 1596072, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafcfb000
mmap(NULL, 2354728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafe81000
mmap(NULL, 7854616, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb00c1000
mmap(NULL, 1050432, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb083f000
mmap(NULL, 1058728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb0940000
mmap(NULL, 1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf559000
mmap(NULL, 940, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1846000
mmap(NULL, 853, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1847000
mmap(NULL, 649, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1848000
mmap(NULL, 544, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1849000
mmap(NULL, 349, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184a000
mmap(NULL, 461, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184b000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184c000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184d000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184e000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184f000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1850000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1851000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1852000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1853000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1854000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1855000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1856000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1857000
mmap(NULL, 1256, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1858000
mmap(NULL, 1061, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1859000
mmap(NULL, 922, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185a000
mmap(NULL, 817, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185b000
mmap(NULL, 541, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185c000
mmap(NULL, 653, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185d000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185e000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185f000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1860000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1861000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1862000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1863000
mmap(NULL, 1238, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1864000
mmap(NULL, 1025, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1865000
mmap(NULL, 898, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1866000
mmap(NULL, 793, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1867000
mmap(NULL, 501, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1868000
mmap(NULL, 613, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1869000
mmap(NULL, 1388, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186a000
mmap(NULL, 1115, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186b000
mmap(NULL, 1030, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186c000
mmap(NULL, 925, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186d000
mmap(NULL, 597, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186e000
mmap(NULL, 709, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186f000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1870000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1871000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1872000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1873000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1874000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1875000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1876000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1877000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1878000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1879000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187a000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187b000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187c000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187d000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187e000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187f000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1880000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1881000
mmap(NULL, 1094, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1882000
mmap(NULL, 943, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1883000
mmap(NULL, 778, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1884000
mmap(NULL, 673, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1885000
mmap(NULL, 437, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1886000
mmap(NULL, 549, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1887000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1888000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1889000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188a000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188b000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188c000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188d000
mmap(NULL, 1088, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188e000
mmap(NULL, 931, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188f000
mmap(NULL, 770, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1890000
mmap(NULL, 665, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1891000
mmap(NULL, 415, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1892000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1893000
mmap(NULL, 1244, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1894000
mmap(NULL, 1037, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1895000
mmap(NULL, 906, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1896000
mmap(NULL, 801, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1897000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1898000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1899000
mmap(NULL, 1124, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189a000
mmap(NULL, 1007, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189b000
mmap(NULL, 878, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189c000
mmap(NULL, 773, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189d000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189e000
mmap(NULL, 623, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189f000
mmap(NULL, 952, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a0000
mmap(NULL, 877, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a1000
mmap(NULL, 693, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a2000
mmap(NULL, 588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a3000
mmap(NULL, 399, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a4000
mmap(NULL, 495, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a5000

Of course, once the protections are in place, the mappings are returned either PROT_READ|PROT_WRITE, or PROT_READ|PROT_EXEC, depending on the type of mapping. This means that the problem at hand is that no mapping should ever be both written to and executed during program run.

bluefoxicy · 02-06-05, 11:00 PM

These appear to be libraries being mapped in, and are fine. The dynamic linker is most likely doing this.

Code:

mmap(NULL, 1653472, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf65a000
mmap(NULL, 1081288, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf7ef000
mmap(NULL, 1114856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf8f7000
mmap(NULL, 1957184, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafa08000
mmap(NULL, 1129792, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafbe7000
mmap(NULL, 1596072, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafcfb000
mmap(NULL, 2354728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fafe81000
mmap(NULL, 7854616, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb00c1000
mmap(NULL, 1050432, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb083f000
mmap(NULL, 1058728, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2fb0940000

These appear to be file-backed mappings that are made writable and executable, which of course doesn't happen under PaX; it only gives one or the other. Furthermore, these are mapped with MAP_FIXED and a specific offset, which is particularly dangerous as this can collide with ASLR. Finally, if an attacker was lucky enough to stumble upon a GL-using program that had a bug allowing remote arbitrary writes to memory (esp. a 3D game), this would provide an easy way to get around ASLR and find fertile ground to inject code.

Code:

mmap(0x2faf75a000, 602112, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x2faf75a000
mmap(0x2faf7ed000, 2784, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2faf7ed000

And finally, the below i can't tell what they're for. They appear to be file-backed mappings made writable and executable, but for what purpose I don't know.

Code:

mmap(NULL, 1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2faf559000
mmap(NULL, 940, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1846000
mmap(NULL, 853, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1847000
mmap(NULL, 649, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1848000
mmap(NULL, 544, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1849000
mmap(NULL, 349, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184a000
mmap(NULL, 461, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184b000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184c000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184d000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184e000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb184f000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1850000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1851000
mmap(NULL, 1100, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1852000
mmap(NULL, 959, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1853000
mmap(NULL, 786, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1854000
mmap(NULL, 681, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1855000
mmap(NULL, 445, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1856000
mmap(NULL, 557, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1857000
mmap(NULL, 1256, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1858000
mmap(NULL, 1061, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1859000
mmap(NULL, 922, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185a000
mmap(NULL, 817, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185b000
mmap(NULL, 541, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185c000
mmap(NULL, 653, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185d000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185e000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb185f000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1860000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1861000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1862000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1863000
mmap(NULL, 1238, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1864000
mmap(NULL, 1025, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1865000
mmap(NULL, 898, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1866000
mmap(NULL, 793, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1867000
mmap(NULL, 501, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1868000
mmap(NULL, 613, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1869000
mmap(NULL, 1388, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186a000
mmap(NULL, 1115, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186b000
mmap(NULL, 1030, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186c000
mmap(NULL, 925, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186d000
mmap(NULL, 597, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186e000
mmap(NULL, 709, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb186f000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1870000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1871000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1872000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1873000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1874000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1875000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1876000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1877000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1878000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1879000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187a000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187b000
mmap(NULL, 1400, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187c000
mmap(NULL, 1139, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187d000
mmap(NULL, 1046, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187e000
mmap(NULL, 941, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb187f000
mmap(NULL, 629, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1880000
mmap(NULL, 741, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1881000
mmap(NULL, 1094, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1882000
mmap(NULL, 943, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1883000
mmap(NULL, 778, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1884000
mmap(NULL, 673, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1885000
mmap(NULL, 437, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1886000
mmap(NULL, 549, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1887000
mmap(NULL, 1250, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1888000
mmap(NULL, 1049, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1889000
mmap(NULL, 914, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188a000
mmap(NULL, 809, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188b000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188c000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188d000
mmap(NULL, 1088, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188e000
mmap(NULL, 931, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb188f000
mmap(NULL, 770, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1890000
mmap(NULL, 665, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1891000
mmap(NULL, 415, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1892000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1893000
mmap(NULL, 1244, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1894000
mmap(NULL, 1037, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1895000
mmap(NULL, 906, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1896000
mmap(NULL, 801, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1897000
mmap(NULL, 533, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1898000
mmap(NULL, 645, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb1899000
mmap(NULL, 1124, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189a000
mmap(NULL, 1007, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189b000
mmap(NULL, 878, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189c000
mmap(NULL, 773, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189d000
mmap(NULL, 527, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189e000
mmap(NULL, 623, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb189f000
mmap(NULL, 952, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a0000
mmap(NULL, 877, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a1000
mmap(NULL, 693, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a2000
mmap(NULL, 588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a3000
mmap(NULL, 399, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a4000
mmap(NULL, 495, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 11, 0) = 0x2fb18a5000

bani · 05-04-05, 06:02 PM

nvidia's gl drivers make heavy use of selfmodifying code. it does this on win32 also, so i can only assume this is common code. ati's drivers dont do this. from what i recall looking at the selfmod code it is setting up some kind of function dispatch table. this can be done without selfmod code though, i can only assume nvidia is doing it for some small performance gain.

so the only solution with PAX is to either paxctl/chpax all the binaries which use libGL, or use ati instead. :/

**Thunderbird** · 05-05-05, 02:56 AM

Perhaps the dispatch table is the following. In case of the nvidia drivers on linux the 'real' opengl library is libGLcore.so. The library libGL.so is just a small wrapper that calls functions from libGLcore.so. Not sure why this is done but it might have something to do with sharing code between the windows and linux drivers. (libGLcore might contain platform-independant code)

kernelOfTruth · 03-01-08, 01:16 PM

*dig dig dig*

anyone got nvidia-drivers w. 3D acceleration (e.g. compiz) with grsecurity/pax working ?

I've read about that in gentoo-forums (a post from around 2 years ago)

many thanks in advance for your input

http://forums.gentoo.org/viewtopic-t-435668.html

02-06-05, 10:58 PM	#1
bluefoxicy Registered User Join Date: Feb 2005 Posts: 3	nVidia drivers + enhanced security I'm using v1.0-6629 of the nVidia kernel and Xorg drivers. I'm tracking these against PaX, an executable space protection patch for Linux that greatly enhances security by taking memory protections a step further and making them a privileged resource managed in such a way that direct code injection can't happen. A little background, originally the mprotect() function allows programmers to freely alter memory protections, allowing them to separate memory privileges and thus avoid security issues to a degree. PaX extends this by employing a policy in which memory resources are always created writable or executable, but never both. PaX also denies programs the privilege to add writability to executable segments, or to make non-executable segments executable, thus restricting the mprotect() function. The administrator can mark programs to be exempted from the mprotect() restrictions; and PaX allows hooks for MAC systems such as SELinux and GrSecurity (which is built around PaX) to control restrictions as well. PaX also allows similar control over the enforcement of PROT_EXEC, emulation of nested functions, and randomization of the address space. The reason I'm bringing this up here is that a very few pieces of code are currently inable to function under PaX due to poor programming practice or bad design. Some tasks by nature must be able to use mprotect() freely; but aside from realtime machine emulators, all other programming tasks (including Java and Mono) can be realisticly accomplished without generating code in memory at runtime. PaX supplies the highest denomination of memory protections. Any code that runs in PaX will run on Exec Shield and vanilla Linux. This encompasses most code, with a few (about 20 I've found) notable exceptions that can easily be fixed, and a few special cases (vmware, qemu, bochs) where the protections simply should be disabled for the processes. Unfortunately, x86 and x86-64/AMD64 nVidia GLX contains some code which triggers PaX. Without access to the source, the community cannot fix the code; however, by disabling randomization, I can trace the code to the mapping in glxgears in Ubuntu Hoary and get the address of the fault and the code being executed, which may help the nVidia developers track the problem down. Below is the PaX log under those conditions. Code: glxgears[12427]: segfault at 0000002a957f0250 rip 0000002a957f0250 rsp 0000007fbfffe768 error 15 PAX: execution attempt in: /usr/lib/libGL.so.1.0.6629, 2a9576c000-2a957ff000 00000000 PAX: terminating task: /usr/X11R6/bin/glxgears(glxgears):12427, uid/euid: 1000/1000, PC: 0000002a957f0250, SP: 0000007fbfffe768 PAX: bytes at PC: 00000064 00000048 0000008b 00000004 00000025 00000090 000000ff 000000ff 000000ff 000000ff 000000a0 00000010 00000008 00000000 00000000 000000cc 000000cc 000000cc 000000cc 000000cc Fixing this will fix a large chunk of incompatibilities, notably 3D games, Blender, and other GLX accelerated programs.

05-04-05, 06:02 PM	#4
bani Registered User Join Date: Aug 2004 Posts: 24	Re: nVidia drivers + enhanced security nvidia's gl drivers make heavy use of selfmodifying code. it does this on win32 also, so i can only assume this is common code. ati's drivers dont do this. from what i recall looking at the selfmod code it is setting up some kind of function dispatch table. this can be done without selfmod code though, i can only assume nvidia is doing it for some small performance gain. so the only solution with PAX is to either paxctl/chpax all the binaries which use libGL, or use ati instead. :/

05-05-05, 02:56 AM	#5
Thunderbird Join Date: Jul 2002 Location: Netherlands, Europe Posts: 2,105	Re: nVidia drivers + enhanced security Perhaps the dispatch table is the following. In case of the nvidia drivers on linux the 'real' opengl library is libGLcore.so. The library libGL.so is just a small wrapper that calls functions from libGLcore.so. Not sure why this is done but it might have something to do with sharing code between the windows and linux drivers. (libGLcore might contain platform-independant code)

03-01-08, 01:16 PM	#6
kernelOfTruth Gentoo Linux addict Join Date: Nov 2007 Location: Vienna, Austria; Germany; hello world :) Posts: 202	Re: nVidia drivers + enhanced security dig dig dig anyone got nvidia-drivers w. 3D acceleration (e.g. compiz) with grsecurity/pax working ? I've read about that in gentoo-forums (a post from around 2 years ago) many thanks in advance for your input http://forums.gentoo.org/viewtopic-t-435668.html

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
NVIDIA Drivers Receive Windows 8 Certification	News	Latest Tech And Game Headlines	0	06-01-12 05:30 AM
Radeon 9700 not all that?	sancheuz	Other Desktop Graphics Cards	200	10-12-02 09:31 PM
Nvidia Stereo Drivers	Soudontsay	NVIDIA Windows Graphics Drivers	2	08-26-02 10:48 AM
nvidia drivers in a motherboard with AGP 1.0 (motherboard MVP3+)	knocker	NVIDIA Linux	1	08-19-02 01:57 AM
NVIDIA 2960 Drivers & RH 7.3 W/2.4.18-5	XASCompuGuy	NVIDIA Linux	6	08-02-02 11:53 AM