Bugtraq mailing list archives
Re: Linux kernel patch to remove stack exec permission
From: mingo () PC5829 HIL SIEMENS AT (Ingo Molnar)
Date: Mon, 14 Apr 1997 16:36:03 +0200
On Sat, 12 Apr 1997 solar () sun1 ideal ru wrote:
[...] Some buffer overflows are still exploitable, by making the program put the shellcode somewhere else in its memory space, not on the stack, and overwriting the return address to point to that area. [...]
would it be a good idea to strip off the highest bit in env[] and args[] when exec()-ing? This makes it quite hard to pass shellcode to the process? We can get this bit cutoff very cheap by trivially modifying copy_strings() in exec.c. [hm, this breaks 8-bit character sets?] for the BSS/malloc() things we could theoretically get the kernel to put executable mmap()-ed areas into the 0-1G range, and the rest into the 1G-2G range. [whee, reinventing segmented memory ...]. As most if not all code is independent of what type of area mmap() gives us, this seems to be doable via ext2fs attributes. Then USER_CS would be in the 0-1G range. but the Right Thing would be if Intel fixed their page protection bits to honor exec permissions actually ... -- mingo
Current thread:
- Re: Linux kernel patch to remove stack exec permission Mike Meissner (Apr 12)
- <Possible follow-ups>
- Linux kernel patch to remove stack exec permission Solar Designer (Apr 12)
- Re: Linux kernel patch to remove stack exec permission Casper Dik (Apr 12)
- Re: Linux kernel patch to remove stack exec permission Ingo Molnar (Apr 14)