From owner-freebsd-amd64@FreeBSD.ORG Sat Jun 14 20:46:50 2008 Return-Path: Delivered-To: amd64@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5AC451065678 for ; Sat, 14 Jun 2008 20:46:50 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (skuns.zoral.com.ua [91.193.166.194]) by mx1.freebsd.org (Postfix) with ESMTP id AEE448FC0C for ; Sat, 14 Jun 2008 20:46:49 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m5EKCSgc082961 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 14 Jun 2008 23:12:28 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m5EK8YSP010166; Sat, 14 Jun 2008 23:08:34 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.2/8.14.2/Submit) id m5EK8YpA010165; Sat, 14 Jun 2008 23:08:34 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 14 Jun 2008 23:08:34 +0300 From: Kostik Belousov To: Ed Schouten Message-ID: <20080614200833.GZ94309@deviant.kiev.zoral.com.ua> References: <20080614174412.GU1176@hoeg.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Rze2H98aPGdtvpzG" Content-Disposition: inline In-Reply-To: <20080614174412.GU1176@hoeg.nl> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on skuns.kiev.zoral.com.ua Cc: amd64@freebsd.org Subject: Re: VM_PROT_EXEC on the stack X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2008 20:46:50 -0000 --Rze2H98aPGdtvpzG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 14, 2008 at 07:44:12PM +0200, Ed Schouten wrote: > Hello everyone, >=20 > I'm not a real guru when it comes to low level x86 hardware stuff, but > some time ago I read somewhere that the NX bit on AMD64 CPU's could be > used to mark the stack as non-executable, making it impossible to > execute code on the stack (through buffer overflows). >=20 > When I look at procstat -v's output on FreeBSD/amd64, I see the stack > has VM_PROT_EXEC. Is there a specific reason for this? There are at least two issues with marking stack non-executable. First, kernel copies the signal trampoline code fragments at the top of the stack. This may be worked around by splitting one page from the stack and marking it executable. Or, the code may be moved to the libc. Second issue is that, in principle, stack may be used by the compiler-generated trampolines. New gnu toolchain creates the GNU_STACK phdr that informs ld.so that non-executable stack is permitted (in fact, I think that it is p_flags of the phdr that defines required protection for the stack segment mappings). GNU_STACK is created when all linked relocatable objects contain .note.GNU-stack. --Rze2H98aPGdtvpzG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkhUJUEACgkQC3+MBN1Mb4iCxgCg8BxC/4DoAse7vcMxdUg8RLUd JnwAoNT+DkeALCKDBbu32oq0yUFTqBYl =ZgFJ -----END PGP SIGNATURE----- --Rze2H98aPGdtvpzG--