> At the same time, this is likely to sooner or later crash a vulnerable daemon
> that does not fork for serving new connections (especially a stateful daemon
> that keeps some state info on connections). The reason being that a daemon with
> an exploitable bug it is not likely to survive being passed bogus arguments time
> after time (example - named). In other words - the technique you describe has a
> wide application but not as wide as a simple stack smash on an exec stack
> system. So having the stack non-exec and libs mapped to an address containing
> 0x00:
Why not map _everything_ mapped to address containing 0x00? It
probably is not trivial (You may not put it on 00XXXXXX, it would be
useless because we are little-endian. Putting .text on XX00XXXX is
probably non-trivial but doable...) It is definitely doable on 64bit
systems.
Pavel
PS: If even stack is put on place with zero in address, is not that
enough to stop all exploits even without non-executable stack?
> 1. Raises the bar quite a bit (though not as high as exepected).
> 2. Makes the exploits for Linux and for stack-exec systems like Solaris, etc
> quite different which gives everyone some additional space to
> maneuvre.
-- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/