Bugtraq mailing list archives
Re: Smashing the stack
From: sommerfeld () apollo hp com (Bill Sommerfeld)
Date: Tue, 21 Jan 1997 10:50:59 -0500
Some architectures grow the stack "upwards" in memory instead of "downwards"; this means that buffer overrun doesn't overwrite existing stack frames at all.
This doesn't follow at all. The buffer which is overrun could have been allocated within a separate frame from the frame which actually "commits" the overrun. e.g., foo() { char buf[10]; gets(buf); } The actual overrun occurs in gets(), which writes to memory which is "below" the stack location of gets's frame, so (in the case of a hypothetical machine with an upward-growing stack) the flow of control is derailed on return from gets(), not return from foo()... - Bill
Current thread:
- [linux-security] SECURITY: Important bug fix for /sbin/login, (continued)
- [linux-security] SECURITY: Important bug fix for /sbin/login Erik Troan (Jan 16)
- Smashing the stack on a DEC Alpha Lamont Granquist (Jan 16)
- Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
- Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
- FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
- Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
- talkd problem Theo de Raadt (Jan 20)
- Re: talkd problem David Holland (Jan 20)
- Smashing the stack Zygo Blaxell (Jan 20)
- Re: Smashing the stack David Holland (Jan 20)
- Re: Smashing the stack Bill Sommerfeld (Jan 21)
- [linux-security] write(1) leak David Holland (Jan 19)
- [linux-security] write(1) leak David Holland (Jan 20)