From owner-freebsd-security@FreeBSD.ORG  Wed Nov  2 12:30:59 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C103316A424
	for <freebsd-security@freebsd.org>;
	Wed,  2 Nov 2005 12:30:59 +0000 (GMT) (envelope-from des@des.no)
Received: from tim.des.no (tim.des.no [194.63.250.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 496B743D45
	for <freebsd-security@freebsd.org>;
	Wed,  2 Nov 2005 12:30:59 +0000 (GMT) (envelope-from des@des.no)
Received: from tim.des.no (localhost [127.0.0.1])
	by spam.des.no (Postfix) with ESMTP id DAE8E2085;
	Wed,  2 Nov 2005 13:30:53 +0100 (CET)
X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00
X-Spam-Learn: ham
X-Spam-Score: -4.4/3.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on tim.des.no
Received: from xps.des.no (des.no [80.203.228.37])
	by tim.des.no (Postfix) with ESMTP id C01222083;
	Wed,  2 Nov 2005 13:30:53 +0100 (CET)
Received: by xps.des.no (Postfix, from userid 1001)
	id 9CB6833C1D; Wed,  2 Nov 2005 13:30:53 +0100 (CET)
To: db <db@traceroute.dk>
References: <200510270608.51571.db@traceroute.dk>
	<200510291242.16461.db@traceroute.dk>
	<20051029131519.GA22254@ada.devbox.be>
	<200510291412.57656.db@traceroute.dk>
From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
Date: Wed, 02 Nov 2005 13:30:53 +0100
In-Reply-To: <200510291412.57656.db@traceroute.dk> (db@traceroute.dk's
	message of "Sat, 29 Oct 2005 14:12:57 +0000")
Message-ID: <86pspjz0xu.fsf@xps.des.no>
User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, Jimmy Scott <jimmy@inet-solutions.be>
Subject: Re: Non-executable stack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2005 12:30:59 -0000

db <db@traceroute.dk> writes:
> Memory on ia32 can be writable and readable.  When it is readable it
> is also executable.  On other arch's like AMD64 and IA64, I believe
> memory can be readable, writable and executable.

Not quite.  IA32 can make individual segments readable, writable and /
or executable, but lacks the ability to do so on a per-page basis.
Since we have trampoline code at the top of the stack, the entire
stack segment must be executable.  Moving the trampoline off the stack
would solve the problem on all platforms.

W^X across the board is not an option - it would break HotSpot and
other JIT-based software.

DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no