Date: Sat, 5 Feb 2000 10:32:30 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Atsuo Ohki <ohki@gssm.otsuka.tsukuba.ac.jp> Cc: freebsd-hackers@FreeBSD.ORG, ohki@gssm.otsuka.tsukuba.ac.jp Subject: Re: some guard against stack overflow attack Message-ID: <200002051832.KAA35677@apollo.backplane.com> References: <200002051408.XAA02525@smr00.gssm.otsuka.tsukuba.ac.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
I think this will break dynamically loaded code. Also, library
fixups may be writable and even if we don't embed jump instructions
in them now who knows what might be done in the future. Even if
we enforced this all it would accomplish is to make the cracks a
little more sophisticated.
Linux messes around with the user code segment. By limiting its
size it can be made to 'miss' the user stack, preventing code from
being executable on the stack. This is a zero-cost solution. However,
there has been a lot of resistance to implementing it in FreeBSD
because it is an i386-specific solution rather then a general solution,
and is really more of a mask on the problem instead of a fix.
-Matt
Matthew Dillon
<dillon@backplane.com>
:Hi folks
:
: I'd like to propse a simple guard against stack overflow attack.
: The idea is very simple: just prevent system call from writable
: user area (i.e. data & bss area) except SYS_sigreturn.
:
: It has few performance penalty and can prevent trivial stack
: overflow attack such as simply executing shell.
:
:
:*** /usr/src/sys/i386/i386/trap.c-ORIG Mon Aug 30 01:05:56 1999
:--- /usr/src/sys/i386/i386/trap.c Fri Feb 4 22:30:44 2000
:***************
:*** 1074,1079 ****
:--- 1074,1090 ----
:
: if (p->p_sysent->sv_mask)
: code &= p->p_sysent->sv_mask;
:+ /* begin XXXXXXX -- prevent system call from writable user area */
:+ if (code != SYS_sigreturn &&
:+ ((int)(*vtopte(frame.tf_eip-frame.tf_err))&(PG_V|PG_RW|PG_U))
:+ != (PG_V|PG_U)) {
:+ printf("pid%d: %d@0x%08x\n",
:+ p->p_pid, code, frame.tf_eip-frame.tf_err);
:+ trapsignal(p, SIGILL, T_PRIVINFLT);
:+ error = -1; /* just prevent warning */
:+ goto bad_syscall;
:+ }
:+ /* end XXXXXXX */
:
: if (code >= p->p_sysent->sv_size)
: callp = &p->p_sysent->sv_table[0];
:***************
:*** 1140,1145 ****
:--- 1151,1159 ----
: frame.tf_eflags &= ~PSL_T;
: trapsignal(p, SIGTRAP, 0);
: }
:+ /* begin XXXXXXX */
:+ bad_syscall:
:+ /* end XXXXXXX */
:
: userret(p, &frame, sticks);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002051832.KAA35677>