mprotect(2) clears the flag for whole page which causes program crash.

Kostik Belousov kostikbel at gmail.com
Tue Nov 17 12:29:00 UTC 2009


On Tue, Nov 17, 2009 at 03:29:19PM +0530, Sharad Chandra wrote:
> Hi,
> 
> mportect clears the exec flag of whole page by which my program crashed. I am 
> attaching sample code. It is performing below task
> 
> 1) allocate memory1
> 2) allocate memory2
> 3) change permission of memory 1 and 2 to exec by mprotect.
> 4) clear the exec permission of memory 1 and free it.
> 5) execute the memory2 by mapping to pointer function.
> 6) clear the exec permission of memory 2 and free it.
> 
> Program crashed at step 5 if memory 1 and 2 are in same page.
> 
> $ uname -a
> FreeBSD app164.in.niksun.com 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1 
> 07:18:07 UTC 2009     
> root at driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
> 
> $ gcc -g -o test -Wall mprotect.c
> $ ./test
> mem1 at: 34369183888
> mem2 at: 34369183892
> address difference: 4
> test_func1 function returned 0
> test_func2 will crash here
> Segmentation fault (core dumped)
> 
> Is it known bug or is there any workaround? How will a userland process make 
> sure that process will not crash as malloc(3) can allocate where ever it get 
> the memory free to use.

Attachment was stripped. Anyway, mprotect(2) works on the page granularity.
The first sentence from the mprotect manpage says:
 The mprotect() system call changes the specified pages to have
 protection prot.

By design, mprotect uses hardware capabilities of the processor' MMU
to enforce the protection, and MMU works on the page granularity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20091117/70300224/attachment.pgp


More information about the freebsd-hackers mailing list