20 messages in org.freebsd.freebsd-archRe: Time to make the stack non-execut...| From | Sent On | Attachments |
|---|---|---|
| Terry Lambert | Jun 29, 2002 3:13 pm | |
| Jake Burkholder | Jun 29, 2002 3:55 pm | |
| Alfred Perlstein | Jun 29, 2002 4:08 pm | |
| Julian Elischer | Jun 29, 2002 4:14 pm | |
| Jake Burkholder | Jun 29, 2002 4:24 pm | |
| Bill Huey | Jun 29, 2002 4:25 pm | |
| Terry Lambert | Jun 29, 2002 5:50 pm | |
| Bill Huey | Jun 29, 2002 6:18 pm | |
| David O'Brien | Jun 29, 2002 7:39 pm | |
| Bakul Shah | Jun 29, 2002 10:40 pm | |
| Arun Sharma | Jun 29, 2002 11:31 pm | |
| Peter Wemm | Jun 29, 2002 11:59 pm | |
| Igor Sysoev | Jun 30, 2002 2:49 am | |
| Terry Lambert | Jun 30, 2002 3:24 am | |
| Terry Lambert | Jun 30, 2002 3:38 am | |
| Eivind Eklund | Jun 30, 2002 3:44 am | |
| Terry Lambert | Jun 30, 2002 4:39 am | |
| Cedric Berger | Jun 30, 2002 5:14 am | |
| Terry Lambert | Jun 30, 2002 5:24 am | |
| Peter Wemm | Jun 30, 2002 1:42 pm |
| Subject: | Re: Time to make the stack non-executable? | |
|---|---|---|
| From: | Terry Lambert (tlam...@mindspring.com) | |
| Date: | Jun 30, 2002 4:39:52 am | |
| List: | org.freebsd.freebsd-arch | |
Eivind Eklund wrote:
One way to potentially work around this is to allow the stack pages to be marked executable by explicit linking with an alternate crt0.o, or, more usefully, by way of an attribute on the file (e.g. a "chflags").
Is there some reason that we should not do this by way of a syscall that the particular process calls? If an exploit is at a point where it can run syscalls, I'd think we are screwed anyway, and we should know at compile time what programs would need this and not, if we do it globally. The only problem is legacy programs that need this.
This is how as crt0/1 fix would *have to* work. It's the kernel that makes the decision on stack page mappings, and on stack growth (through the fault handler for the guard page).
The reason this was less useful than a file attribute is that it would have to be called explicitly. The default would have to be "allowed", with the call being "relinquish". That's why it would need the compiler option O'Brian was talking about implementing, if I hacked up ctr1 for him. It would be like being root by default in all programs, and having to call "setuid" to become non-root, which also makes it undesirable.
I think this is heading down into the implementation details, and it's important to keep it at a higher level for right now, so I won't comment on the rest...
-- Terry
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message