security bug - LibreOffice shouldn't require writable and executable memory pages at the same time

classic Classic list List threaded Threaded
1 message Options
Hess THR Hess THR
Reply | Threaded
Open this post in threaded view
|

security bug - LibreOffice shouldn't require writable and executable memory pages at the same time

Hello,

can someone please take a look at the:

https://bugs.documentfoundation.org/show_bug.cgi?id=115486


Description:
https://stackoverflow.com/questions/48631646/why-does-libreoffice-wants-memory-pages-to-be-writable-and-executable-in-the-sam

OpenBSD has great features for Memory protection, ex.: W^X.

https://en.wikipedia.org/wiki/W^X

https://man.openbsd.org/mount

We can disable this function with the "wxallowed" mount point if a program needs it, and sadly, LibreOffice needs the wxallowed on /usr/local/.

See example here: https://unix.stackexchange.com/questions/411405/libreoffice-soffice-oosplash-start-permission-denied-error

Steps to Reproduce:
1. Use a secure OS that can help security audits, ex.: OpenBSD
2. Remove the wxallowed flag from /usr/local to enable the W^X enforcing, reboot
3. LibreOffice cannot start anymore, because it requires writable and executable memory pages in the same time, see Wiki link, why is this dangerous: https://en.wikipedia.org/wiki/W%5EX

Actual Results:  
LibreOffice is prone to memory bugs if it needs writable/executable memory pages

Expected Results:
LibreOffice should run even with the remove wxallowed mount option.


Reproducible: Always


User Profile Reset: No



Additional Info:
This is a security issue, please fix it with higher prio.

Additional help from the forums:

I'm not really sure but my guess is that LibreOffice is doing some dynamic runtime linking of a shared object and it's mapping the whole address space using one syscall with PROT_READ|PROT_WRITE|PROT_EXEC or alternatively PROT_ALL which i have already seen somewhere on github. – Karim Manaouil

@KarimManaouil Probably here:

https://github.com/LibreOffice/core/blob/b7c5ddcdd05ceba73acb1a298500892d6157f360/bridges/source/cpp_uno/shared/vtablefactory.cxx

It creates anonymous mapping with RWX access. – Ivan
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice