Bugtraq mailing list archives

Re: WordPad/riched20.dll buffer overflow

From: chrisr () VERIMAIL COM (Christopher Rhodes)
Date: Fri, 26 Nov 1999 14:06:26 -0700


The 386 and up supports no-exec, but only on differing segments.  Most OS
systems aren't properly implemented on the 386+ architecture.  The 386+
supports read-only pages in the paging architecture, but to separate
executable code from stack and data, you have to point the segment
registers at differing memory areas.  If they overlap, which simplifies
memory management, then the code, data and stack are all shared.  An
entire segment, according to the Intel documentation, can set aside as
non-executable.

I think one of the major problems with the Linux implementation, and
apparently windows too, is that noone pays attention to the added security
provided by segmentation (at least to the point of putting the stack on a
different segment?)  I've not delved into that portion of the Linux
source, but maybe I will someday if I have some free time.  (I got my info
from a copy of Intel's pentium family processor architecture and
programming manual.)

(I'm talking about the code and data bits in the segment registers.)

Chris Rhodes

-------------------------------------------------------------------------
"Note:  The information contained in this message and any attachments to
it may be privileged and confidential.  If the reader of this message is
not the intended recipient or the recipient's appointed agent, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer."
-------------------------------------------------------------------------

On Fri, 26 Nov 1999 pedward () WEBCOM COM wrote:

I seem to recall a Linux kernel guru explaining that the x86 MMU doesn't actually
support non-exec pages, or some such.  It doesn't support it, or it just doesn't
work right.  I remember bringing up the issue of noexec and that was the answer.

--Perry

    Ok, here it is, on page 58, it's talking about Access Control of virtual
pages, and it says, literally if a page can be read, it can be executed. I
remember that this took my attention for some days, then I forgot about it, until
you mentioned it.

    richie


--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\

Current thread:

WordPad/riched20.dll buffer overflow Pauli Ojanpera (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Bronek Kozicki (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 18)
  - Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
  - (no subject) Swen Persson (Nov 24)
  - Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
    - Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
    - Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
    - Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
    - SCO su patches Alfred Huger (Nov 28)
    - Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
    - Page table protection on Intel Jason Spence (Nov 26)
    - SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
    - 3Com cable modems / Mediaone Signal 11 (Nov 27)
    - Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
    - NTmail and VRFY George (Nov 30)
    - Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
    - Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)

(Thread continues...)