Bugtraq mailing list archives
Re: Smashing the stack
From: Thomas.Pornin () ens fr (Thomas Pornin)
Date: Wed, 22 Jan 1997 10:12:06 +0100
Terrell Thacker writes:
X86 memory protection is based on two segments types: Code and Data. Code segments are executable with a read toggle. Data segments are not executable with a write toggle. You cannot write to memory using a code segment selector. You cannot read memory using a code segment selector that is not readable. You cannot execute code using a data segment selector. The only selectors allowed in the stack segment register are ones that are type Data/read/write. The only selectors allowed in the code segment register are type Code. The only selectors allowed in the general purpose data registers are type Data or Code/read. The problem lies with implementations on the X86. Different types of selectors can be created to access the same memory in different ways. If you want a flat address space for each process, then there will be the two types of selectors accessing the same memory space, code and data. Now the code segment selector can be used to execute the data modified in the stack or data segment. Does anyone know of implementations that use different areas of memory for the selectors of each process?
Actually, you can declare a segment as a data one, with read and write enable, and load it into the code segment register; this way, you may have a writable and executable segment. This is not a widely used feature, as it is much more elegant to use a data segment covering the same range than the code segment considered. Nevertheless, using these segments is a pain; that's why linux relies on paging to perform memory protection and forgets the segments (all segment registers are declared as 4 GB ones, beginning at adress 0). I suspect all other 386-based Unixes act this way, as it simplifies much the implementation. Pages (which are 4 KB wide) can be marked as readable and writable; no executable flag. Paging does not exist on 286; therefore, any Unix running on a 286 (but not on a 8086) is likely to use separate code segments and data segments, and so being unable to execute code placed in data or stack segments. --Thomas Pornin
Current thread:
- Re: Smashing the stack Terrell Thacker (Jan 21)
- Re: Smashing the stack Thomas Pornin (Jan 22)
- <Possible follow-ups>
- Re: Smashing the stack Terrell Thacker (Jan 22)