>
> On Sun, 4 May 2003, Calin A. Culianu wrote:
>
> > IIRC, x86 ints have the high-order byte _last_ (ie the fourth byte).
> > What's to stop someone from, say, smashing a buffer (and consequently
> > return-address) on the stack using something like {0x01, 0x01, 0x01,
> > 0x00} which is really address '65793' in base-10. The above is a valid
> > ASCII string (3 1's followed by a NUL) which could conceivably end up on
> > the stack as the result of an errant strcpy() or gets() or whatever...
>
> you are right, it is possible to use the enclosing \0 to generate an
> address into the first 16MB, but how do you get any arguments passed to
> that function?
Hehe you're right.. because of the trailing NUL it's impossible to get any
custom args passed to anything (like maybe libc.so's system() for
instance).
Yes, so this is a good layer of protection, because all the addresses
below 16MB guarantee this feature, at least...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/