Re: WordPad/riched20.dll buffer overflow

[solar () FALSE COM (Solar Designer)]

> Aleph, please kill my article if someone else says it better/first.  I've been
> waiting in silence for Solar Designer to speak up and end the debate about how
> to do this, but I guess he's away from his e-mail.

I was simply unsure if we really need to repeat this discussion (it's
been on the list already). ;-)

> > Having separate non-overlapping stack and data segments causes a great
> > many problems if you want to be able to write programs in C, given
> > that a data pointer has to be able to record the address of any
> > variable, regardless of whether it is static (data segment) or
> > automatic (stack segment).
>
> This work has already been done:  there is a kernel patch for Linux that makes
> the stack segment non-executable.  For details, go read Solar's source:
> http://www.openwall.com/linux/

In reality, the patch does exactly what it says it does: make the
user stack area (a range of user-space addresses) non-executable.

It does _not_ make the segment (in the x86 sense) non-executable (in
fact, it was already non-executable by definition; it is overlapping
with the code segment which allowed for execution on the stack).

To answer the paragraph you were replying to as well, the patch also
does _not_ stop stack and data segments from overlapping (in fact,
with the Linux 2.2 version of the patch, the stack and data segments
even share the same descriptor table entry).  I don't see how this
restriction can be related to the execute permissions, though.

What the patch does, is reduce the user-space code segment limit so
that the segment does not cover the range of addresses allocated to
the stack.  The base addresses continue to match.

Signed,
Solar Designer