Bugtraq mailing list archives
Re: Smashing the stack
From: tthacker () mtc iitri com (Terrell Thacker)
Date: Tue, 21 Jan 1997 15:43:59 EST
On the X86 memory can be read-only, read-write, or unmapped. This means that it's not possible to mark memory as readable but not executable. On every other major architecture I've heard of (except maybe the 68000), it is at least theoretically possible to mark which addresses can be used to fetch machine instructions and which ones can't, even if the operating system doesn't usually actually do that (as in the recently discussed case of the Alpha and OSF's Unix flavor, where the stack is no-execute but the heap isn't).
X86 memory protection is based on two segments types: Code and Data. Code segments are executable with a read toggle. Data segments are not executable with a write toggle. You cannot write to memory using a code segment selector. You cannot read memory using a code segment selector that is not readable. You cannot execute code using a data segment selector. The only selectors allowed in the stack segment register are ones that are type Data/read/write. The only selectors allowed in the code segment register are type Code. The only selectors allowed in the general purpose data registers are type Data or Code/read. The problem lies with implementations on the X86. Different types of selectors can be created to access the same memory in different ways. If you want a flat address space for each process, then there will be the two types of selectors accessing the same memory space, code and data. Now the code segment selector can be used to execute the data modified in the stack or data segment. Does anyone know of implementations that use different areas of memory for the selectors of each process?
The 286 has an interesting twist; it uses 16-bit registers with segment registers to boost its address range, and no memory protection worth speaking of. A 65536-byte buffer overrun could rewrite the *entire* stack.
286 processors have the same basic segments types and protection of the 386 and on. *-----------------------------------------------------------------------* [] [] ###### ##### [] Maryland Technology Center ## ## ## ## ## ## IIT Research Institute ## ## ## ##### ## ## ## ## ## ## ## Terrell Thacker ## ## ## ## ## ## tthacker () mtc iitri com *-----------------------------------------------------------------------*
Current thread:
- Re: Smashing the stack Terrell Thacker (Jan 21)
- Re: Smashing the stack Thomas Pornin (Jan 22)
- <Possible follow-ups>
- Re: Smashing the stack Terrell Thacker (Jan 22)