Bugtraq mailing list archives

Re: WordPad/riched20.dll buffer overflow

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sun, 28 Nov 1999 03:19:01 +0000


Aleph, please kill my article if someone else says it better/first.  I've been
waiting in silence for Solar Designer to speak up and end the debate about how
to do this, but I guess he's away from his e-mail.

Glynn Clements wrote:

Christopher Rhodes wrote:

I think one of the major problems with the Linux implementation, and
apparently windows too, is that noone pays attention to the added security
provided by segmentation (at least to the point of putting the stack on a
different segment?)


Having separate non-overlapping stack and data segments causes a great
many problems if you want to be able to write programs in C, given
that a data pointer has to be able to record the address of any
variable, regardless of whether it is static (data segment) or
automatic (stack segment).


This work has already been done:  there is a kernel patch for Linux that makes
the stack segment non-executable.  For details, go read Solar's source:
http://www.openwall.com/linux/

There are workarounds (i.e. foregoing the simplicity of a flat memory
model), but these are invariably either inefficient (e.g. the "huge"
memory model found on 16-bit x86 C compilers), or not actually C (e.g.
the "near" and "far" keywords in the language-which-looks-like-C-but-isn't
that was commonly used for 16-bit x86 development).


The kernel patch makes no such compromise.  As near as I can tell, it is
completely performance neutral, and largely transparent.  The only compromise
is that special handling for signal delivery is required, which the kernel
patch provides.

Also, using segmentation pretty much guarantees that your OS cannot be
made to run on anything other than the x86 architecture (which is
about the worst of the bunch; no sane person would use x86 if wasn't
for the compatibility issues).


Other, more sane, processors provide for read & no-execute pages, so you use a
different kernel MMU mechanism to make the stack non-executable.  Thus, Casper
Dik has a similar kernel enhancement for Solaris that makes the stack
non-executable.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Current thread:

Re: WordPad/riched20.dll buffer overflow, (continued)
- - - Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
    - Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
    - SCO su patches Alfred Huger (Nov 28)
    - Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
    - Page table protection on Intel Jason Spence (Nov 26)
    - SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
    - 3Com cable modems / Mediaone Signal 11 (Nov 27)
    - Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
    - NTmail and VRFY George (Nov 30)
    - Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
    - Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
    - Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
    - Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
    - Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
    - Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
    - TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow User SCOTT (Nov 18)
  - Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Mnemonix (Nov 19)
  - Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
    - Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)

(Thread continues...)