Date: Mon, 29 Oct 2001 13:25:04 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Luc <luc@2113.ch> Cc: freebsd-security@freebsd.org, Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Subject: Re: BUFFER OVERFLOW EXPLOITS Message-ID: <20011029132504.A98067@xor.obsecurity.org> In-Reply-To: <3BDD11C8.4746A7BD@2113.ch>; from luc@2113.ch on Mon, Oct 29, 2001 at 09:22:33AM %2B0100 References: <Pine.BSF.4.21.0110281500030.6086-100000@lhotse.zaraska.dhs.org> <3BDD11C8.4746A7BD@2113.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
--3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 29, 2001 at 09:22:33AM +0100, Luc wrote: > Hello, >=20 > > Is this programming, compiler or compiling options error? > > How to avoid this problem on practice (writing programs)? >=20 > Can one confirm we may prevent FreeBSD buffer overflow=20 > using this document: >=20 > "GCC extension for protecting applications from stack-smashing attacks" > http://www.trl.ibm.com/projects/security/ssp/ >=20 > Why isn't FreeBSD built with such extension (by default) ? Because it can cause problems for certain things. The main one I've found is XFree86, which will fail to run if you build it with -fstack-protector. I think it's overriding CFLAGS in parts of the build, which means that certain things aren't being compiled with -fstack-protector and fail to link at runtime as a result. I also found a spurious failure in another application which would cause it to hit the overflow trap even though nothing was apparently overflowing. Also note that it does not provide complete protection against buffer overflows and other code-based security flaws, and is therefore only a partial solution to the problem (a useful one nonetheless). For the most part it works well though, and I compile two of my systems with it. Kris --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE73ckwWry0BWjoQKURAoqlAJ96Mbqiph5Vbf2LnihupejpunPAvgCffavt GpZgIvDB08za6g71CZSqqo8= =Cx2f -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011029132504.A98067>