Date: Mon, 03 Mar 1997 14:41:12 -0800 From: David Greenman <dg@root.com> To: Terry Lambert <terry@lambert.org> Cc: wpaul@skynet.ctr.columbia.edu (Bill Paul), hackers@freebsd.org Subject: Re: Removing execute privs from stack pages Message-ID: <199703032241.OAA09456@root.com> In-Reply-To: Your message of "Mon, 03 Mar 1997 13:25:58 MST." <199703032025.NAA08451@phaeton.artisoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> I've got a question for you VM/i386 gurus out there. Recently, somebody >> showed me a script for Solaris/SPARC to short-circuit buffer overflow >> security holes by removing execute access from the user stack pages. >> Doing this does not prevent buffer overflows and stack corruption from >> happening, but it does prevent any malicious code written to the stack >> from being executed, thus rendering the overflow condition harmless. >> (Well, sort of: the overflow can still crash the process, but at least >> it prevents suid/sgid programs with buffer overflow bugs from giving >> away privs.) >> >> My question is: can this sort of thing be done with FreeBSD/i386? > >The short answer: "no". > >The long answer: there is no distinction between "readable" and >"executable" in the hardware mapping interpretation. You *might* The longer answer is that it is possible to set the user stack as non-executable (not via the page tables, however), but the thing preventing this from working is the signal trampoline which requires that code be executed on the user's stack (the signal trampoline is a small piece of code that is inserted onto the stack and is used when a signal handler does a "return"; the return address on the stack points to the signal trampoline which then does a sigreturn system call and perhaps other things to change the context back to pre-signal state). -DG David Greenman Core-team/Principal Architect, The FreeBSD Project
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703032241.OAA09456>