Date: Mon, 3 Mar 1997 14:42:24 -0600 From: Jonathan Lemon <jlemon@americantv.com> To: Bill Paul <wpaul@skynet.ctr.columbia.edu> Cc: hackers@freebsd.org Subject: Re: Removing execute privs from stack pages Message-ID: <19970303144224.03031@right.PCS> In-Reply-To: <199703031825.NAA17682@skynet.ctr.columbia.edu>; from Bill Paul on Mar 03, 1997 at 01:25:23PM -0500 References: <199703031825.NAA17682@skynet.ctr.columbia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 03, 1997 at 01:25:23PM -0500, Bill Paul wrote: > I've got a question for you VM/i386 gurus out there. Recently, somebody > showed me a script for Solaris/SPARC to short-circuit buffer overflow > security holes by removing execute access from the user stack pages. > Doing this does not prevent buffer overflows and stack corruption from > happening, but it does prevent any malicious code written to the stack > from being executed, thus rendering the overflow condition harmless. > (Well, sort of: the overflow can still crash the process, but at least > it prevents suid/sgid programs with buffer overflow bugs from giving > away privs.) > > My question is: can this sort of thing be done with FreeBSD/i386? From Not at the moment. The signal trampoline code is currently written onto the user stack by the kernel (see machdep.c). I suppose that if the trampoline code is moved out of the UPAGES area, then it might be possible. -- Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970303144224.03031>