Bugtraq mailing list archives

Re: Smashing the stack

From: tthacker () mtc iitri com (Terrell Thacker)
Date: Tue, 21 Jan 1997 15:43:59 EST

On the X86 memory can be read-only, read-write, or unmapped.  This means
that it's not possible to mark memory as readable but not executable.
On every other major architecture I've heard of (except maybe the 68000),
it is at least theoretically possible to mark which addresses can be
used to fetch machine instructions and which ones can't, even if the
operating system doesn't usually actually do that (as in the recently
discussed case of the Alpha and OSF's Unix flavor, where the stack is
no-execute but the heap isn't).


X86 memory protection is based on two segments types: Code and Data.
Code segments are executable with a read toggle.  Data segments
are not executable with a write toggle.  You cannot write to memory
using a code segment selector.  You cannot read memory using a code
segment selector that is not readable.  You cannot execute code using
a data segment selector.  The only selectors allowed in the stack
segment register are ones that are type Data/read/write.  The only
selectors allowed in the code segment register are type Code.  The
only selectors allowed in the general purpose data registers are
type Data or Code/read.

The problem lies with implementations on the X86.  Different types
of selectors can be created to access the same memory in different
ways.  If you want a flat address space for each process, then there
will be the two types of selectors accessing the same memory space,
code and data. Now the code segment selector can be used to execute
the data modified in the stack or data segment.  Does anyone know of
implementations that use different areas of memory for the selectors
of each process?

The 286 has an interesting twist; it uses 16-bit registers with segment
registers to boost its address range, and no memory protection worth
speaking of.  A 65536-byte buffer overrun could rewrite the *entire*
stack.

286 processors have the same basic segments types and protection of the
386 and on.

*-----------------------------------------------------------------------*
      []  [] ###### #####   []      Maryland Technology Center
      ##  ##   ##   ##  ##  ##      IIT Research Institute
      ##  ##   ##   #####   ##
      ##  ##   ##   ##  ##  ##      Terrell Thacker
      ##  ##   ##   ##  ##  ##      tthacker () mtc iitri com
*-----------------------------------------------------------------------*

Current thread:

Re: Smashing the stack Terrell Thacker (Jan 21)
- Re: Smashing the stack Thomas Pornin (Jan 22)
- <Possible follow-ups>
- Re: Smashing the stack Terrell Thacker (Jan 22)