From owner-freebsd-security  Mon Feb 10 13:18:52 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA25697
          for security-outgoing; Mon, 10 Feb 1997 13:18:52 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA25685
          for <freebsd-security@freebsd.org>; Mon, 10 Feb 1997 13:18:47 -0800 (PST)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 0.56 #1)
	id E0vu37M-0005S4-00; Mon, 10 Feb 1997 14:18:28 -0700
To: tqbf@enteract.com
Subject: Re: buffer overruns 
Cc: dufault@hda.com, freebsd-security@freebsd.org
In-reply-to: Your message of "10 Feb 1997 11:59:41 GMT."
		<19970210115941.27807.qmail@char-star.rdist.org> 
References: <19970210115941.27807.qmail@char-star.rdist.org>  
Date: Mon, 10 Feb 1997 14:18:27 -0700
From: Warner Losh <imp@village.org>
Message-Id: <E0vu37M-0005S4-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <19970210115941.27807.qmail@char-star.rdist.org> tqbf@enteract.com writes:
: In article <199702100954.EAA08773@hda.hda.com>, you wrote:
: >Is the stack executable?  I've been assuming the exploits modify
: 
: Yes.

The problem width making the stack non-executable is that it breaks
gcc generated code.  It will place trampoline code on the stack for a
variety of things, and then jump to that code.  Exceptions and nested
scopes come to mind for when this happens, but it has been a while
since I checked this out.

Also, SunOS implements a lazy link for shared libraries.  When the
program starts to execute, it has a bunch of jumps to a routine that
fixes up the jumps to the right place and then jumps there itself.

Warner