From owner-freebsd-security Mon Feb 10 13:14:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA25456 for security-outgoing; Mon, 10 Feb 1997 13:14:40 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA25446 for ; Mon, 10 Feb 1997 13:14:34 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vu32S-0005Rj-00; Mon, 10 Feb 1997 14:13:24 -0700 To: tqbf@enteract.com Subject: Re: buffer overruns Cc: roberto@keltia.freenix.fr, freebsd-security@freebsd.org In-reply-to: Your message of "10 Feb 1997 07:49:14 GMT." <19970210074914.22012.qmail@char-star.rdist.org> References: <19970210074914.22012.qmail@char-star.rdist.org> Date: Mon, 10 Feb 1997 14:13:23 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <19970210074914.22012.qmail@char-star.rdist.org> tqbf@enteract.com writes: : You'll have to make every other region of memory that a calling process : could potentially control non-executable as well. It's a gross assumption : to say that I, being the caller of any given program, only have influence : over the contents of that program's stack. >From years of debugging experience we know that it is possible to overflow veriables in the data segment, trashing out the pointer that follows the buffer. Once you do that, then you may be able to use that pointer to write data anywhere in the program.... Found quite a few bugs in code I've worked on that were like this :-(. Warner