make check_no_exec() work reliable

Peter Beutner p.beutner at gmx.net
Mon Dec 4 15:30:08 CST 2006


Alexandre Julliard wrote:
> Peter Beutner <p.beutner at gmx.net> writes:
> 
>> But as linux can't just switch on/off the protection for specific processes, wine has to
>> emulate it by marking all readable memory as executable as well. And as all this happens
>> behind the application's back, I would still go with my first proposal to just pair 
>> every PROT_READ with a PROT_EXEC in dlls/ntdll/virtual.c:VIRTUAL_GetUnixProt().
>>
>> Does that sound acceptable?
> 
> Given your investigations that sounds reasonable, yes, thanks for
> taking the time to look into this. Does something like this work for
> you?

Yes, it works. This should be pretty much equal to the default OptIn policy under windows,
i.e. disable the protection for everyone unless the app explicitely say it can handle it.
(except for the fact that wine always does this now, even if the cpu hasn't NX or something
aquivalent.Shouldn't really hurt anyone though.)

> diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
> index 99c90c4..4d15779 100644
> --- a/dlls/ntdll/loader.c
> +++ b/dlls/ntdll/loader.c
> @@ -2126,6 +2126,8 @@ void WINAPI LdrInitializeThunk( ULONG unknown1, ULONG unknown2, ULONG unknown3,
>  
>      peb->ProcessParameters->ImagePathName = wm->ldr.FullDllName;
>      version_init( wm->ldr.FullDllName.Buffer );
> +    if (!(nt->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT))
> +        VIRTUAL_SetForceExec( TRUE );

I'm not so sure about this, I think I read somewhere that each loaded DLL is checked for this
not just the main exe and the protection is disabled if at least on module is not nx compatible.
But as no wine dll is marked as NX_COMPAT(i assume) this would basically mean to always disable the
protection.
It probably doesn't hurt to leave it like this for now.
The rest (build wine dlls with NX_COMPAT and do this check for every lib) can still be added later.
I think it's not quite common anyway that the main exe is flagged as NX_COMPAT and some dll of the
app is not ;)



More information about the wine-devel mailing list