Date: Sat, 05 Feb 2000 23:08:54 +0900 From: Atsuo Ohki <ohki@gssm.otsuka.tsukuba.ac.jp> To: freebsd-hackers@FreeBSD.org Cc: ohki@gssm.otsuka.tsukuba.ac.jp Subject: some guard against stack overflow attack Message-ID: <200002051408.XAA02525@smr00.gssm.otsuka.tsukuba.ac.jp>
next in thread | raw e-mail | index | archive | help
Hi folks
I'd like to propse a simple guard against stack overflow attack.
The idea is very simple: just prevent system call from writable
user area (i.e. data & bss area) except SYS_sigreturn.
It has few performance penalty and can prevent trivial stack
overflow attack such as simply executing shell.
*** /usr/src/sys/i386/i386/trap.c-ORIG Mon Aug 30 01:05:56 1999
--- /usr/src/sys/i386/i386/trap.c Fri Feb 4 22:30:44 2000
***************
*** 1074,1079 ****
--- 1074,1090 ----
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
+ /* begin XXXXXXX -- prevent system call from writable user area */
+ if (code != SYS_sigreturn &&
+ ((int)(*vtopte(frame.tf_eip-frame.tf_err))&(PG_V|PG_RW|PG_U))
+ != (PG_V|PG_U)) {
+ printf("pid%d: %d@0x%08x\n",
+ p->p_pid, code, frame.tf_eip-frame.tf_err);
+ trapsignal(p, SIGILL, T_PRIVINFLT);
+ error = -1; /* just prevent warning */
+ goto bad_syscall;
+ }
+ /* end XXXXXXX */
if (code >= p->p_sysent->sv_size)
callp = &p->p_sysent->sv_table[0];
***************
*** 1140,1145 ****
--- 1151,1159 ----
frame.tf_eflags &= ~PSL_T;
trapsignal(p, SIGTRAP, 0);
}
+ /* begin XXXXXXX */
+ bad_syscall:
+ /* end XXXXXXX */
userret(p, &frame, sticks);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002051408.XAA02525>