|Terry Lambert||Jun 29, 2002 3:13 pm|
|Jake Burkholder||Jun 29, 2002 3:55 pm|
|Alfred Perlstein||Jun 29, 2002 4:08 pm|
|Julian Elischer||Jun 29, 2002 4:14 pm|
|Jake Burkholder||Jun 29, 2002 4:24 pm|
|Bill Huey||Jun 29, 2002 4:25 pm|
|Terry Lambert||Jun 29, 2002 5:50 pm|
|Bill Huey||Jun 29, 2002 6:18 pm|
|David O'Brien||Jun 29, 2002 7:39 pm|
|Bakul Shah||Jun 29, 2002 10:40 pm|
|Arun Sharma||Jun 29, 2002 11:31 pm|
|Peter Wemm||Jun 29, 2002 11:59 pm|
|Igor Sysoev||Jun 30, 2002 2:49 am|
|Terry Lambert||Jun 30, 2002 3:24 am|
|Terry Lambert||Jun 30, 2002 3:38 am|
|Eivind Eklund||Jun 30, 2002 3:44 am|
|Terry Lambert||Jun 30, 2002 4:39 am|
|Cedric Berger||Jun 30, 2002 5:14 am|
|Terry Lambert||Jun 30, 2002 5:24 am|
|Peter Wemm||Jun 30, 2002 1:42 pm|
|Subject:||Re: Time to make the stack non-executable?|
|From:||Peter Wemm (pet...@wemm.org)|
|Date:||Jun 30, 2002 1:42:05 pm|
Terry Lambert wrote:
Eivind Eklund wrote:
One way to potentially work around this is to allow the stack pages to be marked executable by explicit linking with an alternate crt0.o, or, more usefully, by way of an attribute on the file (e.g. a "chflags").
Is there some reason that we should not do this by way of a syscall that th e particular process calls? If an exploit is at a point where it can run syscalls, I'd think we are screwed anyway, and we should know at compile ti me what programs would need this and not, if we do it globally. The only prob lem is legacy programs that need this.
This is how as crt0/1 fix would *have to* work. It's the kernel that makes the decision on stack page mappings, and on stack growth (through the fault handler for the guard page).
The way I was going to implement this a few months ago (before I spoke with the gcc folks over lunch to find out if it would break anything - it would, nested functions - and they explained to me how little it buys us anyway) was to modify either crt1.o or libc to use a syscall to point to our own private trampoline code to be used instead of the one on the stack, and then switch %cs to another segment descriptor slot that doesn't include the stack, or have add something like a SA_USERTRAMP flag to sigaction etc and have libc wrapperize the signal calls to set a user-level trampoline.
The implementation is easy. We can have a MD library call to turn stack execution on/off even (no privilige required - just flip a segment register in the x86 case). The only reason I never got around to it was that I had other more pressing things to do.
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message