3

Perhaps I am misunderstanding how this works, but to my knowledge ELF binaries can either have NX protections for the stack, or not. What I am assuming is that there is a place in the binary that spells this out, but I'm not sure exactly where this information is stored.

How do you figure out the page permissions for an ELF binary from a disassembly?

MrSynAckSter
  • 1,258
  • 1
  • 10
  • 24

2 Answers2

6

Permissions are in the p_flags member of the program header.

       typedef struct {
           uint32_t   p_type;
           Elf32_Off  p_offset;
           Elf32_Addr p_vaddr;
           Elf32_Addr p_paddr;
           uint32_t   p_filesz;
           uint32_t   p_memsz;
           uint32_t   p_flags;
           uint32_t   p_align;
       } Elf32_Phdr;

       p_flags     This member holds a bit mask of flags relevant to the
                   segment:

                   PF_X   An executable segment.
                   PF_W   A writable segment.
                   PF_R   A readable segment.

                   A text segment commonly has the flags PF_X and PF_R.  A
                   data segment commonly has PF_X, PF_W and PF_R.
broadway
  • 1,581
  • 8
  • 18
2

The ELF binaries have in them headers named "program headers". When the kernel loads up a binary into memory, it only cares about 3 types of headers. PT_LOAD indicating whether or not the content corresponding to the header needs to be loaded into memory, PT_GNU_STACK indicating whether or not the stack needs to be made executable and PT_INTERP for determining the interpreter used to execute the binary.

So yes, the kernel sets the stack as non-executable or executable depending on whether or not a program header is present in the ELF. The ELF process can later use mmap/mmap2/mprotect libc/system calls to give executable privileges to specific pages in memory.