From owner-freebsd-hackers  Tue Mar  4 14:33:33 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id OAA20863
          for hackers-outgoing; Tue, 4 Mar 1997 14:33:33 -0800 (PST)
Received: from pdx1.world.net (pdx1.world.net [192.243.32.18])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA20858
          for <hackers@freebsd.org>; Tue, 4 Mar 1997 14:33:27 -0800 (PST)
From: proff@suburbia.net
Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id OAA22716 for <hackers@freebsd.org>; Tue, 4 Mar 1997 14:35:09 -0800 (PST)
Received: (qmail 20288 invoked by uid 110); 4 Mar 1997 22:31:03 -0000
Message-ID: <19970304223102.20286.qmail@suburbia.net>
Subject: Re: Removing execute privs from stack pages
In-Reply-To: <E0w1ymE-0000oj-00@rover.village.org> from Warner Losh at "Mar 4, 97 11:17:26 am"
To: imp@village.org (Warner Losh)
Date: Wed, 5 Mar 1997 09:31:02 +1100 (EST)
Cc: hackers@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> Even making the stack non-executable will not solve the problem.  It
> is possible to use overflows to overwrite function pointers in .data
> or .bss area that are called through (although this is much much
> harder).
> 
> Warner

No, it is easier than that. If your heap is executable, you can just
point the pc to data in there (e.g gethostbyaddr packet buffer)

--
Prof. Julian Assange  |If you want to build a ship, don't drum up people
		      |together to collect wood and don't assign them tasks
proff@iq.org          |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery