[12757] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Glynn Clements)
Mon Nov 29 14:48:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14401.15796.69000.520192@glynn.ingames.com>
Date: Sun, 28 Nov 1999 15:35:28 +0100
Reply-To: Glynn Clements <glynn@SENSEI.CO.UK>
From: Glynn Clements <glynn@SENSEI.CO.UK>
X-To: Crispin Cowan <crispin@cse.ogi.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38409F25.597FDAAB@cse.ogi.edu>
Crispin Cowan wrote:
> > > I think one of the major problems with the Linux implementation, and
> > > apparently windows too, is that noone pays attention to the added security
> > > provided by segmentation (at least to the point of putting the stack on a
> > > different segment?)
> >
> > Having separate non-overlapping stack and data segments causes a great
> > many problems if you want to be able to write programs in C, given
> > that a data pointer has to be able to record the address of any
> > variable, regardless of whether it is static (data segment) or
> > automatic (stack segment).
>
> This work has already been done: there is a kernel patch for Linux that makes
> the stack segment non-executable. For details, go read Solar's source:
> http://www.openwall.com/linux/
I'm aware of Solar Designer's patch. However, it isn't applicable to
my reply. My reply was regarding separating the stack and data
segments, not the code segment. Referring back, this may not have been
what the poster was talking about.
The code segment is a somewhat easier target. IIRC, C says very little
about function pointers. You are not guaranteed to be able to store a
function pointer in a "void *", "long" or anything other than a
pointer to that specific type of function.
Consequently, the code segment doesn't have to overlap either the
stack or data segments.
If the code and stack/data segments do overlap, then it doesn't matter
whether or not the stack/data segment is executable. You simply write
to the stack/data segment then execute the code via the code segment
(return addresses are implicitly relative to the code segment).
--
Glynn Clements <glynn@sensei.co.uk>
