[14863] in bugtraq
Re: non-exec stack
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed May 10 20:58:01 2000
Message-Id: <200005091928.VAA17162@romulus.Holland.Sun.COM>
Date: Tue, 9 May 2000 21:28:40 +0200
Reply-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: Gert Doering <gert@greenie.muc.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 09 May 2000 21:12:51 +0200."
<20000509211251.C23536@greenie.muc.de>
>Hi,
>
>On Mon, May 08, 2000 at 10:06:04AM +0200, Casper Dik wrote:
>> >Here's an overflow exploit that works on a non-exec stack on x86 boxes.
>> >It demonstrates how it is possible to thread together several libc
>> >calls. I have not seen any other exploits for x86 that have done this..
>>
>> Non-executable stacks do not work in Solaris/x86.
>>
>> It is impossible to give page level protection that prevents
>> execution on the x86 architecture.
>
>Hmmm, so how do they do that on Linux? I thought Solar Designer had a
>non-exec-stack patch for Linux.
Yes, but I don't think you can "mprotect" that stack back page by
page to allow execute permission.
Casper
