[12768] in bugtraq
Re: WordPad/riched20.dll buffer overflow
daemon@ATHENA.MIT.EDU (Solar Designer)
Tue Nov 30 11:36:36 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199911292040.XAA04084@false.com>
Date: Mon, 29 Nov 1999 23:40:29 +0300
Reply-To: Solar Designer <solar@FALSE.COM>
From: Solar Designer <solar@FALSE.COM>
X-To: crispin@CSE.OGI.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38409F25.597FDAAB@cse.ogi.edu> from Crispin Cowan at "Nov 28,
99 03:19:01 am"
> Aleph, please kill my article if someone else says it better/first. I've been
> waiting in silence for Solar Designer to speak up and end the debate about how
> to do this, but I guess he's away from his e-mail.
I was simply unsure if we really need to repeat this discussion (it's
been on the list already). ;-)
> > Having separate non-overlapping stack and data segments causes a great
> > many problems if you want to be able to write programs in C, given
> > that a data pointer has to be able to record the address of any
> > variable, regardless of whether it is static (data segment) or
> > automatic (stack segment).
>
> This work has already been done: there is a kernel patch for Linux that makes
> the stack segment non-executable. For details, go read Solar's source:
> http://www.openwall.com/linux/
In reality, the patch does exactly what it says it does: make the
user stack area (a range of user-space addresses) non-executable.
It does _not_ make the segment (in the x86 sense) non-executable (in
fact, it was already non-executable by definition; it is overlapping
with the code segment which allowed for execution on the stack).
To answer the paragraph you were replying to as well, the patch also
does _not_ stop stack and data segments from overlapping (in fact,
with the Linux 2.2 version of the patch, the stack and data segments
even share the same descriptor table entry). I don't see how this
restriction can be related to the execute permissions, though.
What the patch does, is reduce the user-space code segment limit so
that the segment does not cover the range of addresses allocated to
the stack. The base addresses continue to match.
Signed,
Solar Designer
