I recently install 64-bit OpenSuse 11.3, the first time I’d used Suse 64-bit - I have to say it has been all good so far, which is great.
However, today I was experimenting with a tool that tests vulnerabilities which should be remedied if using an NX capable processor. I am running 2.6.34.7-0.5-desktop on an Intel Core i7. I downloaded a 64-bit compatible version of paxtest from :
(If you get this make sure to use the above if compiling in a 64-bit environment, earlier versions will not build nicely.)
Running it I was surprised to see that the NX capabilities of the CPU do not appear to be honored.
Here are my results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or laterMode: blackhat
Linux callandor 2.6.34.7-0.5-desktop #1 SMP PREEMPT 2010-10-25 08:40:12 +0200 x86_64 x86_64 x86_64 GNU/LinuxExecutable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
==>Executable bss (mprotect) : Vulnerable
==>Executable data (mprotect) : Vulnerable
==>Executable heap (mprotect) : Vulnerable
==>Executable stack (mprotect) : Vulnerable
==>Executable shared library bss (mprotect) : Vulnerable
==>Executable shared library data (mprotect): Vulnerable
==>Writable text segments : Vulnerable
Anonymous mapping randomisation test : 28 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (PIE) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
From my understanding, NX was one of the big deals a few years back and was a main feature provided by the PAE kernel. I would have thought the default 64-bit kernel would have included NX support. I also thought per NX bit - Wikipedia, the free encyclopedia that NX support has been in the kernel since 2.6.8
I looked in config-2.6.34.7-0.5-desktop but did not see anything related to NX/XD config wise, other than DEBUG_NX_TEST
What am I missing here? Shouln’t this test fail in the Executable [bss, stack, etc.] tests on 64-bit with a NX capable processor?
Cheers,
Pete