Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: chrisr () VERIMAIL COM (Christopher Rhodes)
Date: Fri, 26 Nov 1999 14:06:26 -0700
The 386 and up supports no-exec, but only on differing segments. Most OS systems aren't properly implemented on the 386+ architecture. The 386+ supports read-only pages in the paging architecture, but to separate executable code from stack and data, you have to point the segment registers at differing memory areas. If they overlap, which simplifies memory management, then the code, data and stack are all shared. An entire segment, according to the Intel documentation, can set aside as non-executable. I think one of the major problems with the Linux implementation, and apparently windows too, is that noone pays attention to the added security provided by segmentation (at least to the point of putting the stack on a different segment?) I've not delved into that portion of the Linux source, but maybe I will someday if I have some free time. (I got my info from a copy of Intel's pentium family processor architecture and programming manual.) (I'm talking about the code and data bits in the segment registers.) Chris Rhodes ------------------------------------------------------------------------- "Note: The information contained in this message and any attachments to it may be privileged and confidential. If the reader of this message is not the intended recipient or the recipient's appointed agent, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer." ------------------------------------------------------------------------- On Fri, 26 Nov 1999 pedward () WEBCOM COM wrote:
I seem to recall a Linux kernel guru explaining that the x86 MMU doesn't actually support non-exec pages, or some such. It doesn't support it, or it just doesn't work right. I remember bringing up the issue of noexec and that was the answer. --PerryOk, here it is, on page 58, it's talking about Access Control of virtual pages, and it says, literally if a page can be read, it can be executed. I remember that this took my attention for some days, then I forgot about it, until you mentioned it. richie-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- WordPad/riched20.dll buffer overflow Pauli Ojanpera (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Bronek Kozicki (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 18)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- (no subject) Swen Persson (Nov 24)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
- 3Com cable modems / Mediaone Signal 11 (Nov 27)
- Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
- NTmail and VRFY George (Nov 30)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)