Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: solar () FALSE COM (Solar Designer)
Date: Mon, 29 Nov 1999 23:40:29 +0300
Aleph, please kill my article if someone else says it better/first. I've been waiting in silence for Solar Designer to speak up and end the debate about how to do this, but I guess he's away from his e-mail.
I was simply unsure if we really need to repeat this discussion (it's been on the list already). ;-)
Having separate non-overlapping stack and data segments causes a great many problems if you want to be able to write programs in C, given that a data pointer has to be able to record the address of any variable, regardless of whether it is static (data segment) or automatic (stack segment).This work has already been done: there is a kernel patch for Linux that makes the stack segment non-executable. For details, go read Solar's source: http://www.openwall.com/linux/
In reality, the patch does exactly what it says it does: make the user stack area (a range of user-space addresses) non-executable. It does _not_ make the segment (in the x86 sense) non-executable (in fact, it was already non-executable by definition; it is overlapping with the code segment which allowed for execution on the stack). To answer the paragraph you were replying to as well, the patch also does _not_ stop stack and data segments from overlapping (in fact, with the Linux 2.2 version of the patch, the stack and data segments even share the same descriptor table entry). I don't see how this restriction can be related to the execute permissions, though. What the patch does, is reduce the user-space code segment limit so that the segment does not cover the range of addresses allocated to the stack. The base addresses continue to match. Signed, Solar Designer
Current thread:
- Re: WordPad/riched20.dll buffer overflow, (continued)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
- 3Com cable modems / Mediaone Signal 11 (Nov 27)
- Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
- NTmail and VRFY George (Nov 30)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)