From owner-freebsd-arch Sun Jun 30 13:42:36 2002 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2F5037B406; Sun, 30 Jun 2002 13:42:21 -0700 (PDT) Received: from overcee.wemm.org (12-232-114-102.client.attbi.com [12.232.114.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0547543E09; Sun, 30 Jun 2002 13:42:21 -0700 (PDT) (envelope-from peter@wemm.org) Received: from wemm.org (localhost [127.0.0.1]) by overcee.wemm.org (Postfix) with ESMTP id 40C57390F; Sun, 30 Jun 2002 13:42:27 -0700 (PDT) (envelope-from peter@wemm.org) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Terry Lambert Cc: Eivind Eklund , Bill Huey , Jake Burkholder , arch@FreeBSD.ORG Subject: Re: Time to make the stack non-executable? In-Reply-To: <3D1EEE1E.80FBFFF2@mindspring.com> Date: Sun, 30 Jun 2002 13:42:27 -0700 From: Peter Wemm Message-Id: <20020630204227.40C57390F@overcee.wemm.org> Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Terry Lambert wrote: > Eivind Eklund wrote: > > > One way to potentially work around this is to allow the stack > > > pages to be marked executable by explicit linking with an > > > alternate crt0.o, or, more usefully, by way of an attribute on > > > the file (e.g. a "chflags"). > > > > Is there some reason that we should not do this by way of a syscall that th e > > particular process calls? If an exploit is at a point where it can run > > syscalls, I'd think we are screwed anyway, and we should know at compile ti me > > what programs would need this and not, if we do it globally. The only prob lem > > is legacy programs that need this. > > This is how as crt0/1 fix would *have to* work. It's the kernel > that makes the decision on stack page mappings, and on stack > growth (through the fault handler for the guard page). The way I was going to implement this a few months ago (before I spoke with the gcc folks over lunch to find out if it would break anything - it would, nested functions - and they explained to me how little it buys us anyway) was to modify either crt1.o or libc to use a syscall to point to our own private trampoline code to be used instead of the one on the stack, and then switch %cs to another segment descriptor slot that doesn't include the stack, or have add something like a SA_USERTRAMP flag to sigaction etc and have libc wrapperize the signal calls to set a user-level trampoline. The implementation is easy. We can have a MD library call to turn stack execution on/off even (no privilige required - just flip a segment register in the x86 case). The only reason I never got around to it was that I had other more pressing things to do. Cheers, -Peter -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message