[12755] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Mon Nov 29 14:27:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38409F25.597FDAAB@cse.ogi.edu>
Date: Sun, 28 Nov 1999 03:19:01 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: Glynn Clements <glynn@SENSEI.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
Aleph, please kill my article if someone else says it better/first. I've been
waiting in silence for Solar Designer to speak up and end the debate about how
to do this, but I guess he's away from his e-mail.
Glynn Clements wrote:
> Christopher Rhodes wrote:
> > I think one of the major problems with the Linux implementation, and
> > apparently windows too, is that noone pays attention to the added security
> > provided by segmentation (at least to the point of putting the stack on a
> > different segment?)
>
> Having separate non-overlapping stack and data segments causes a great
> many problems if you want to be able to write programs in C, given
> that a data pointer has to be able to record the address of any
> variable, regardless of whether it is static (data segment) or
> automatic (stack segment).
This work has already been done: there is a kernel patch for Linux that makes
the stack segment non-executable. For details, go read Solar's source:
http://www.openwall.com/linux/
> There are workarounds (i.e. foregoing the simplicity of a flat memory
> model), but these are invariably either inefficient (e.g. the "huge"
> memory model found on 16-bit x86 C compilers), or not actually C (e.g.
> the "near" and "far" keywords in the language-which-looks-like-C-but-isn't
> that was commonly used for 16-bit x86 development).
The kernel patch makes no such compromise. As near as I can tell, it is
completely performance neutral, and largely transparent. The only compromise
is that special handling for signal delivery is required, which the kernel
patch provides.
> Also, using segmentation pretty much guarantees that your OS cannot be
> made to run on anything other than the x86 architecture (which is
> about the worst of the bunch; no sane person would use x86 if wasn't
> for the compatibility issues).
Other, more sane, processors provide for read & no-execute pages, so you use a
different kernel MMU mechanism to make the stack non-executable. Thus, Casper
Dik has a similar kernel enhancement for Solaris that makes the stack
non-executable.
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
