From owner-freebsd-security  Sun Jul 19 15:23:40 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA02428
          for freebsd-security-outgoing; Sun, 19 Jul 1998 15:23:40 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA02417
          for <security@FreeBSD.ORG>; Sun, 19 Jul 1998 15:23:38 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 26383 invoked by uid 1001); 19 Jul 1998 22:23:22 +0000 (GMT)
To: brett@lariat.org
Cc: security@FreeBSD.ORG
Subject: Re: The 99,999-bug question: Why can you execute from the stack?
In-Reply-To: Your message of "Sun, 19 Jul 1998 14:47:25 -0600"
References: <199807192047.OAA02264@lariat.lariat.org>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Mon, 20 Jul 1998 00:23:22 +0200
Message-ID: <26381.900887002@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> What I CAN'T understand is why FreeBSD allows the hack to occur. Why on
> Earth would one want to allow code to be executed from the stack? The Intel
> segmentation model normally prevents this, and there's additional hardware
> in the MMU that's supposed to be able to preclude it. Why does the OS leave
> this gigantic hole open? Why not just close it?

As far as I remember part of the signal handling code (the trampoline
code) executes off the stack. I believe it's nontrivial to fix this.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message