From owner-freebsd-arch  Sun Jun 30  4:41: 0 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id ED47237B401; Sun, 30 Jun 2002 04:40:57 -0700 (PDT)
Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9148743E0A; Sun, 30 Jun 2002 04:40:57 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0052.cvx40-bradley.dialup.earthlink.net ([216.244.42.52] helo=mindspring.com)
	by snipe.mail.pas.earthlink.net with esmtp (Exim 3.33 #2)
	id 17Od4a-0007hk-00; Sun, 30 Jun 2002 04:40:56 -0700
Message-ID: <3D1EEE1E.80FBFFF2@mindspring.com>
Date: Sun, 30 Jun 2002 04:40:14 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Eivind Eklund <eivind@FreeBSD.ORG>
Cc: Bill Huey <billh@gnuppy.monkey.org>,
	Jake Burkholder <jake@locore.ca>, arch@FreeBSD.ORG
Subject: Re: Time to make the stack non-executable?
References: <3D1E28ED.B67A5271@FreeBSD.org> <3D1E3126.C96FFAA5@mindspring.com> <20020629185554.I71376@locore.ca> <20020629232603.GA1361@gnuppy.monkey.org> <3D1E55E5.998DCEBA@mindspring.com> <20020630124508.A14361@phoenix.dmnstech.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Eivind Eklund wrote:
> > One way to potentially work around this is to allow the stack
> > pages to be marked executable by explicit linking with an
> > alternate crt0.o, or, more usefully, by way of an attribute on
> > the file (e.g. a "chflags").
> 
> Is there some reason that we should not do this by way of a syscall that the
> particular process calls?  If an exploit is at a point where it can run
> syscalls, I'd think we are screwed anyway, and we should know at compile time
> what programs would need this and not, if we do it globally.  The only problem
> is legacy programs that need this.

This is how as crt0/1 fix would *have to* work.  It's the kernel
that makes the decision on stack page mappings, and on stack
growth (through the fault handler for the guard page).

The reason this was less useful than a file attribute is that it
would have to be called explicitly.  The default would have to be
"allowed", with the call being "relinquish".  That's why it would
need the compiler option O'Brian was talking about implementing,
if I hacked up ctr1 for him.  It would be like being root by
default in all programs, and having to call "setuid" to become
non-root, which also makes it undesirable.

I think this is heading down into the implementation details, and
it's important to keep it at a higher level for right now, so I
won't comment on the rest...

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message