0

I am studying for exam tomorrow and I ran across this question:

After we run an executable with strace the following syscalls result regarding standard C lib:

  • open("/lib/libc.so.6", "O_RDONLY") = 3
  • mmap(NULL, 36803630, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE, 3, 0) = 0x7f312ab35000
  • mmap(0x7f312aeae000, 20480, PROT_READ | PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x179000) = 0x7f312aeae000

The question is why does the first syscall of mmap uses PROT_READ|PROT_EXEC and the second one PROT_READ|PROT_WRITE.

Please explain me what happens after each mmap call in detail. I don't understand why a process would need to modify libc (write access).

Dan Lincan
  • 1,065
  • 2
  • 14
  • 32

1 Answers1

2

The maps are private (MAP_PRIVATE), so nothing is modifying libc.so; instead, it's modifying a private (to the process) copy of pages mapped from libc.so. This will include the data segment (global variables in libc) as well as the Global Offset Table (GOT) and perhaps other structures involved in relocating the library to a particular address at runtime.

R.. GitHub STOP HELPING ICE
  • 208,859
  • 35
  • 376
  • 711
  • 1
    and why does PROT_EXEC disappears ? – Dan Lincan May 25 '12 at 16:04
  • 1
    Data does not need to be executable; it's data, not code. And making writable memory executable is considered a security risk since it expands the class of vulnerabilities that can be elevated to arbitrary-code-execution by allowing the attacker a place to put the code. Many hardened systems don't even allow memory to be mapped with both write an execute permission simultaneously. – R.. GitHub STOP HELPING ICE May 25 '12 at 16:53