Re: Minutes from Feb 21 LSE Call

Benjamin LaHaise (bcrl@redhat.com)
Sun, 23 Feb 2003 20:25:12 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Kenneth Johansson: "Re: Minutes from Feb 21 LSE Call"
Previous message: Pete Zaitcev: "State of sparc32 union"

On Sun, Feb 23, 2003 at 01:45:16PM -0800, Linus Torvalds wrote:
> The x86 has that stupid "executablility is tied to a segment" thing, which
> means that you cannot make things executable on a page-per-page level.
> It's a mistake, but it's one that _could_ be fixed in the architecture if
> it really mattered, the same way the WP bit got fixed in the i486.

I've been thinking about this recently, and it turns out that the whole
point is moot with a fixed address vsyscall page: non-exec stacks are
trivially circumvented by using the vsyscall page as a known starting
point for the exploite. All the other tricks of changing the starting
stack offset and using randomized load addresses don't help at all,
since the exploite can merely use the vsyscall page to perform various
operations. Personally, I'm still a fan of the shared library vsyscall
trick, which would allow us to randomize its laod address and defeat
this problem.

-ben
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kenneth Johansson: "Re: Minutes from Feb 21 LSE Call"
Previous message: Pete Zaitcev: "State of sparc32 union"