Date: Mon, 3 Mar 1997 13:25:23 -0500 (EST) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: hackers@freebsd.org Subject: Removing execute privs from stack pages Message-ID: <199703031825.NAA17682@skynet.ctr.columbia.edu>
next in thread | raw e-mail | index | archive | help
I've got a question for you VM/i386 gurus out there. Recently, somebody showed me a script for Solaris/SPARC to short-circuit buffer overflow security holes by removing execute access from the user stack pages. Doing this does not prevent buffer overflows and stack corruption from happening, but it does prevent any malicious code written to the stack from being executed, thus rendering the overflow condition harmless. (Well, sort of: the overflow can still crash the process, but at least it prevents suid/sgid programs with buffer overflow bugs from giving away privs.) My question is: can this sort of thing be done with FreeBSD/i386? From what little I know, it the 386 segment descriptors allow you to designate a memory segment as data or code. Presumeably, an attempt to jump to a an address within a data segment will trigger a trap. Unfortunately, I don't know enough about i386 protected mode programming or FreeBSD's VM subsystem to experiment with this sort of thing. From a cursory look at the code, exec_new_vmspace() does this: /* Allocate a new stack */ error = vm_map_find(&vmspace->vm_map, NULL, 0, (vm_offset_t *)&stack_addr, SGROWSIZ, FALSE, VM_PROT_ALL, VM_PROT_ALL, 0); if (error) return(error); VM_PROT_ALL implies VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE. I tried using VM_PROT_READ|VM_PROT_WRITE instead, but this didn't seem to have any effect. Somehow I get the feeling that VM_PROT_READ implies VM_PROT_EXECUTE. If so, this is a shame. It would be great if we could get VM_PROT_EXECUTE to actually mean something. - Is this even possible with the i386 MMU? - Is this possible with the FreeBSD VM subsystem? (If not, could it be made possible?) - Is FreeBSD (or 4.4BSD in general) dependent on the stack pages being marked executable? Inquiring minds want to know. I can't think of any particular reason why you'd want the stack pages to be executable anyway, but again I don't know enough details to judge. Could be I'm totally out in left field here. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space Madness" =============================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703031825.NAA17682>