Bugtraq mailing list archives

Re: Solaris 7 x86 lpset exploit.

From: peter () GRENDEL ENG BAILEYNM COM (Peter da Silva)
Date: Mon, 1 May 2000 10:59:00 -0500


In article <200004291624.MAA19828 () twig rodents montreal qc ca>,
der Mouse  <mouse () RODENTS MONTREAL QC CA> wrote:

data around.  Another possible way around it would be to cause gcc to
keep part of the stack in the data segment, out of what the kernel
thinks of as the stack, and have it do its trampolines there.  This
runs into big problems with setjmp and other nonlocal exits, and
possibly with signal handlers as well.)


You could handle that by having a frame pointer on the processor stack
point into the function's executable stack frame (if it has one) on the
trampoline stack, rather than having a permanent stack pointer into this
space. I don't think there would be any issues with this, unless you're
trying to use setjmp/longjmp for coroutines or something perverse like
that.

Current thread:

Re: Solaris 7 x86 lpset exploit. Casper Dik (May 01)
- <Possible follow-ups>
- Re: Solaris 7 x86 lpset exploit. Peter da Silva (May 01)
- Re: Solaris 7 x86 lpset exploit. der Mouse (May 02)
  - Re: Solaris 7 x86 lpset exploit. Casper Dik (May 03)
  - Passive Network Mapping bind (May 04)
- Re: Solaris 7 x86 lpset exploit. Peter da Silva (May 04)