According to linux man pages, MMAP_PAGE_ZERO flag used in personality system call makes the system emulates SVr4 behavior, meaning that zero page is mapped as read only. However, this a little naive trial (visible in the code below) does not prevent segmentation fault ocurrence.
#include <stdio.h>
#include <sys/personality.h>
int main(void)
{
int *ptr = 0;
(void)personality(MMAP_PAGE_ZERO);
printf("%d\n", *ptr);
return 0;
}
What should be the right usage of personality(MMAP_PAGE_ZERO) to achieve zero page mapped as read only for a process?
There are two reasons that wasn't working for you:
MMAP_PAGE_ZERO is set in load_elf_binary, so setting it after a process has started will have no effect.vm.mmap_min_addr sysctl, which isn't 0 on most systems.To fix the first problem, try this program instead, which re-executes itself after setting that:
#include <stdio.h>
#include <sys/auxv.h>
#include <sys/personality.h>
#include <unistd.h>
int main(int argc, char **argv) {
int persona = personality(0xffffffff);
if(persona == -1) {
perror("personality");
return 1;
}
if(persona & MMAP_PAGE_ZERO) {
int *ptr = 0;
printf("%d\n", *ptr);
return 0;
} else {
if(personality(persona | MMAP_PAGE_ZERO) == -1) {
perror("personality");
return 1;
}
execv((const char *)getauxval(AT_EXECFN), argv);
perror("execv");
return 1;
}
}
To fix the second problem, you have three choices:
root, with sudo or somethingCAP_SYS_RAWIOvm.mmap_min_addr sysctl to 0Note that all of those choices will have security consequences.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments