Date: Sun, 30 Jun 2002 13:42:27 -0700 From: Peter Wemm <peter@wemm.org> To: Terry Lambert <tlambert2@mindspring.com> Cc: Eivind Eklund <eivind@FreeBSD.ORG>, Bill Huey <billh@gnuppy.monkey.org>, Jake Burkholder <jake@locore.ca>, arch@FreeBSD.ORG Subject: Re: Time to make the stack non-executable? Message-ID: <20020630204227.40C57390F@overcee.wemm.org> In-Reply-To: <3D1EEE1E.80FBFFF2@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert wrote:
> Eivind Eklund wrote:
> > > One way to potentially work around this is to allow the stack
> > > pages to be marked executable by explicit linking with an
> > > alternate crt0.o, or, more usefully, by way of an attribute on
> > > the file (e.g. a "chflags").
> >
> > Is there some reason that we should not do this by way of a syscall that th
e
> > particular process calls? If an exploit is at a point where it can run
> > syscalls, I'd think we are screwed anyway, and we should know at compile ti
me
> > what programs would need this and not, if we do it globally. The only prob
lem
> > is legacy programs that need this.
>
> This is how as crt0/1 fix would *have to* work. It's the kernel
> that makes the decision on stack page mappings, and on stack
> growth (through the fault handler for the guard page).
The way I was going to implement this a few months ago (before I spoke with
the gcc folks over lunch to find out if it would break anything - it would,
nested functions - and they explained to me how little it buys us anyway)
was to modify either crt1.o or libc to use a syscall to point to our own
private trampoline code to be used instead of the one on the stack, and then
switch %cs to another segment descriptor slot that doesn't include the stack,
or have add something like a SA_USERTRAMP flag to sigaction etc and have
libc wrapperize the signal calls to set a user-level trampoline.
The implementation is easy. We can have a MD library call to turn stack
execution on/off even (no privilige required - just flip a segment register
in the x86 case). The only reason I never got around to it was that I had
other more pressing things to do.
Cheers,
-Peter
--
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020630204227.40C57390F>