[14872] in bugtraq
Re: non-exec stack
daemon@ATHENA.MIT.EDU (Nate Eldredge)
Thu May 11 23:04:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14617.64723.929839.560557@mercury.st.hmc.edu>
Date: Wed, 10 May 2000 17:20:35 -0700
Reply-To: Nate Eldredge <neldredge@HMC.EDU>
From: Nate Eldredge <neldredge@HMC.EDU>
X-To: Gert Doering <gert@GREENIE.MUC.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000509211251.C23536@greenie.muc.de>
Gert Doering writes:
> Hi,
>
> On Mon, May 08, 2000 at 10:06:04AM +0200, Casper Dik wrote:
> > >Here's an overflow exploit that works on a non-exec stack on x86 boxes.
> > >It demonstrates how it is possible to thread together several libc
> > >calls. I have not seen any other exploits for x86 that have done this..
> >
> > Non-executable stacks do not work in Solaris/x86.
> >
> > It is impossible to give page level protection that prevents
> > execution on the x86 architecture.
>
> Hmmm, so how do they do that on Linux? I thought Solar Designer had a
> non-exec-stack patch for Linux.
Presumably you could map the code segment so as to exclude the stack.
Then, since a user-mode program cannot change the segmentation without
kernel assistance, the stack would then not be executable.
--
Nate Eldredge
neldredge@hmc.edu
