memory write protection against shared library

StackOverflow https://stackoverflow.com/questions/20857134

Question

I am suddenly curious about something. shared libraries such as glibc(in Linux), kernel32.dll(in Windows) are physically shared among processes. however, since these libraries are located(mapped) in user virtual memory address space, I think a malicious process could change the access property of shared library memory region as write-enabled and mess up every contents to crash all the other process sharing them.

I performed following experiment in Linux, and system didn't crashed. below is my test source code.

meltdown@ubuntu:/tmp$ cat a.c
#include <stdio.h>
#include <sys/mman.h>
#include <stdlib.h>
int g=0;
int main(int argc, char* argv[]){
    int* a = (int*)strtoul(argv[1], 0, 16);
    printf("globals : %p\n", &g);
    printf("a : %p\n", a);
    mprotect( a, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC);

int i=0;
for(i=0; i<0x3f0; i++){
    *(a+i)=0;
}

printf("done?\n");

while(1);
return 0;
}
meltdown@ubuntu:/tmp$

before I ran this program. I located the virtual address of libc.so.6 (I set my kernel not to use ASLR)

meltdown@ubuntu:/tmp$ ldd a
linux-gate.so.1 =>  (0xb7fff000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e37000)
/lib/ld-linux.so.2 (0x80000000)

after confirming the address of libc I tried to overwrite some part of them with NULL's

meltdown@ubuntu:/tmp$ ./a 0xb7e37000
globals : 0x804a030
a : 0xb7e37000
done?
^C
meltdown@ubuntu:/tmp$

since the libc is shared in physical memory, I assume if I successfully overwrite the memory of libc, the system will crash. however, the system is just fine. I think something has happened in here for preventing what I intended.

can someone explain me why the system is not crashed? thank you in advance.

ps. I am not talking about NX or DEP. please don't confuse. I am talking about overwriting the shared library memory region with full access permission(say root process uses mprotect(..., ..., PROT_READ|PROT_WRITE|PROT_EXEC)...

Was it helpful?

Solution

shared libraries such as glibc(in Linux), kernel32.dll(in Windows) are physically shared among processes.

Correct, but with COW (copy on write) property. Once your process writes to a shared page, it gets a copy of the page that is no longer shared with any other process.

I think a malicious process could ... mess up every contents to crash all the other process sharing them.

No, it can't. It can only mess up contents of its own copy and crash itself.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top