Re: [Announcement] "Exec Shield", new Linux security feature

H. Peter Anvin (hpa@zytor.com)
Sun, 04 May 2003 20:14:32 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Eric W. Biederman: "Re: 2.5.68-mm4 && kexec"
Previous message: Art Haas: "[PATCH] Add C99 initializers to kernel/sysctl.c"

Chuck Ebbert wrote:
>>There is another issue: x86 uses relative jumps, so although "ASCII
>>armor" addresses aren't easily accessible using return address smashes
>>(although the \0 at the end thing is a real issue), you may be able to
>>get to them through a jump instruction.
>
> Does the instruction-pointer-relative data addressing mode added by
> AMD64 make these exploits easier? Maybe someone should be working on a
> version of this patch for that platform...
>

No, they don't, not if your mode of exploit is hacking return addresses
on the stack.

AMD64 makes this pretty easy, *ALL* user-space addresses are in the
"ASCII armour" area, and it supports exec-off. Apparently this is
currently off by default, but Andi Kleen says that they have identified
the bug that caused it and they're making it available as a kernel option.

-hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: 2.5.68-mm4 && kexec"
Previous message: Art Haas: "[PATCH] Add C99 initializers to kernel/sysctl.c"