Date: Sun, 19 Jul 1998 18:54:45 -0600 From: Brett Glass <brett@lariat.org> To: sthaug@nethelp.no Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807200054.SAA05978@lariat.lariat.org> In-Reply-To: <26381.900887002@verdi.nethelp.no> References: <Your message of "Sun, 19 Jul 1998 14:47:25 -0600"> <199807192047.OAA02264@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:23 AM 7/20/98 +0200, sthaug@nethelp.no wrote: >As far as I remember part of the signal handling code (the trampoline >code) executes off the stack. I believe it's nontrivial to fix this. I doubt it's hard. "Trampoline" code is just one of the implementation methods used in the very common practice called "thunking." "Thunking" -- a word which dates back to the creation of the Algol 66 compiler for Sperry Univac batch processing systems -- is the general term for creating a small snippet of code that is later executed by another program, process, or subroutine. The code is sometimes created at runtime, sometimes at compile time. Sometimes it's boilerplate that's patched or "fixed up" at runtime. However, the distinguishing traits are that the snippet of code is small and is used to "glue" two other bodies of code together. Putting a "thunk" on the stack sometimes seems convenient because it uses "automatic" storage (to use the C term); the memory that holds the code is automatically deallocated when the stack is popped after it's used. It can only be done in a non-Harvard architecture, though, and leaves holes open for several kinds of nasty exploits. Fortunately, all that's necessary to solve the problems is to put the "thunk" somewhere else! Everything else about the thunk stays the same. It's possible for example, to reserve a page of memory -- or a small code segment in the Intel protected mode architecture -- for it. You can even reserve a little space in a user process's code segment. If the thunk can be made general enough, it can be shared by processes returning from the same exception, making the non-stack implementation more efficient than the one that used the stack. And none of the user code will be the wiser. Someone mentioned that GCC also uses "trampoline" thunks. If so, there ought to be a way to get it to use a different method. After all, it needs to be able to generate code for OSes like Solaris, which can disable execution from the stack. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807200054.SAA05978>