From owner-freebsd-security Sun Jul 19 21:11:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA16008 for freebsd-security-outgoing; Sun, 19 Jul 1998 21:11:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA16003 for ; Sun, 19 Jul 1998 21:11:52 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0yy7IW-0003lQ-00; Sun, 19 Jul 1998 22:11:36 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id WAA08927; Sun, 19 Jul 1998 22:13:40 -0600 (MDT) Message-Id: <199807200413.WAA08927@harmony.village.org> To: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? Cc: dg@root.com, Archie Cobbs , security@FreeBSD.ORG In-reply-to: Your message of "Sun, 19 Jul 1998 22:00:53 MDT." <199807200400.WAA08903@lariat.lariat.org> References: <199807200400.WAA08903@lariat.lariat.org> Date: Sun, 19 Jul 1998 22:13:40 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199807200400.WAA08903@lariat.lariat.org> Brett Glass writes: : Unfortunately, without the use of call gates, there are still some : exploits that can be done. But far fewer.... You need to know : exactly where things are mapped in order to push the addresses of : library routines as return addresses. For any given release, this is easy. Not as easy as knowing the high bits of the stack address, but still fairly easiy. nm is your friend. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message