From owner-freebsd-hackers Mon Mar 3 14:41:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA03372 for hackers-outgoing; Mon, 3 Mar 1997 14:41:41 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03367 for ; Mon, 3 Mar 1997 14:41:32 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.8.5/8.6.5) with SMTP id OAA09456; Mon, 3 Mar 1997 14:41:12 -0800 (PST) Message-Id: <199703032241.OAA09456@root.com> X-Authentication-Warning: implode.root.com: localhost [127.0.0.1] didn't use HELO protocol To: Terry Lambert cc: wpaul@skynet.ctr.columbia.edu (Bill Paul), hackers@freebsd.org Subject: Re: Removing execute privs from stack pages In-reply-to: Your message of "Mon, 03 Mar 1997 13:25:58 MST." <199703032025.NAA08451@phaeton.artisoft.com> From: David Greenman Reply-To: dg@root.com Date: Mon, 03 Mar 1997 14:41:12 -0800 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> I've got a question for you VM/i386 gurus out there. Recently, somebody >> showed me a script for Solaris/SPARC to short-circuit buffer overflow >> security holes by removing execute access from the user stack pages. >> Doing this does not prevent buffer overflows and stack corruption from >> happening, but it does prevent any malicious code written to the stack >> from being executed, thus rendering the overflow condition harmless. >> (Well, sort of: the overflow can still crash the process, but at least >> it prevents suid/sgid programs with buffer overflow bugs from giving >> away privs.) >> >> My question is: can this sort of thing be done with FreeBSD/i386? > >The short answer: "no". > >The long answer: there is no distinction between "readable" and >"executable" in the hardware mapping interpretation. You *might* The longer answer is that it is possible to set the user stack as non-executable (not via the page tables, however), but the thing preventing this from working is the signal trampoline which requires that code be executed on the user's stack (the signal trampoline is a small piece of code that is inserted onto the stack and is used when a signal handler does a "return"; the return address on the stack points to the signal trampoline which then does a sigreturn system call and perhaps other things to change the context back to pre-signal state). -DG David Greenman Core-team/Principal Architect, The FreeBSD Project