Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 30 Nov 1999 09:31:39 +0100
The kernel patch makes no such compromise. As near as I can tell, it is completely performance neutral, and largely transparent. The only compromise is that special handling for signal delivery is required, which the kernel patch provides.
Is it possible with the Linux kernel patch to still mprotect() parts of the stack to read-write-execute? My understanding is that that isn't possible when using x86 segment descriptors (i.e., you get all or nothing)
Also, using segmentation pretty much guarantees that your OS cannot be made to run on anything other than the x86 architecture (which is about the worst of the bunch; no sane person would use x86 if wasn't for the compatibility issues).Other, more sane, processors provide for read & no-execute pages, so you use a different kernel MMU mechanism to make the stack non-executable. Thus, Casper Dik has a similar kernel enhancement for Solaris that makes the stack non-executable.
The feature I wrote as a script for Solaris 2.5.1 and before that hotpatched kernel memory and code (and disassembled SPARC instructions in /bin/sh) was later added as a feature to Solaris 2.6 Many MMUs/processors do not support this. Older SPARC (sun4/sun4c kernel arch) do not; even UltraSPARC doesn't provide MMU support; it supports non-executable pages only because it has a split TLB. When RW- pages get examined in the iTLB handler, a fault is generated. That also was added in Solaris 2.6, so my script doesn't work for UltraSPARC in 2.5/2.5.1 either. Casper
Current thread:
- SCO su patches, (continued)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
- 3Com cable modems / Mediaone Signal 11 (Nov 27)
- Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
- NTmail and VRFY George (Nov 30)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)