Date: Thu, 6 Mar 1997 21:06:31 -0800 (PST) From: Dmitry Kohmanyuk <dk@dog.farm.org> To: jlemon@americantv.com (Jonathan Lemon) Cc: freebsd-hackers@freebsd.org Subject: Re: Removing execute privs from stack pages Message-ID: <199703070506.VAA29447@dog.farm.org>
next in thread | raw e-mail | index | archive | help
In article <19970303144224.03031@right.PCS> you wrote: > On Mar 03, 1997 at 01:25:23PM -0500, Bill Paul wrote: > > I've got a question for you VM/i386 gurus out there. Recently, somebody > > showed me a script for Solaris/SPARC to short-circuit buffer overflow > > security holes by removing execute access from the user stack pages. > > Doing this does not prevent buffer overflows and stack corruption from > > happening, but it does prevent any malicious code written to the stack > > from being executed, thus rendering the overflow condition harmless. > > (Well, sort of: the overflow can still crash the process, but at least > > it prevents suid/sgid programs with buffer overflow bugs from giving > > away privs.) > > > > My question is: can this sort of thing be done with FreeBSD/i386? From > Not at the moment. The signal trampoline code is currently written onto > the user stack by the kernel (see machdep.c). I suppose that if the > trampoline code is moved out of the UPAGES area, then it might be possible. Also, gcc generates trampoline code on the stack in some cases; passing of ointers-to-nested-functions as args involves that (that's GCC extension to C), and there may be others. -- Two mistakes of a programmer: to born, and to select a profession.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703070506.VAA29447>