Re: some PaX Q&A

[der Mouse <mouse () RODENTS MONTREAL QC CA>]

> [PaX] reduces the ways [a buffer] overflow can be (ab)used by an
> attacker. namely, only already existing executable code (in the given
> tasks's address space) can be executed, but *NEVER* the payload (as
> long as no read/write/exec pages exist in the task, [...]).

What's to stop the attack from doing the bounce-off-libc trick to call
mprotect() to make the relevant page RO and executable, then into the
payload?

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B