Date: Mon, 3 Mar 1997 13:25:23 -0500 (EST) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: hackers@freebsd.org Subject: Removing execute privs from stack pages Message-ID: <199703031825.NAA17682@skynet.ctr.columbia.edu>
next in thread | raw e-mail | index | archive | help
I've got a question for you VM/i386 gurus out there. Recently, somebody
showed me a script for Solaris/SPARC to short-circuit buffer overflow
security holes by removing execute access from the user stack pages.
Doing this does not prevent buffer overflows and stack corruption from
happening, but it does prevent any malicious code written to the stack
from being executed, thus rendering the overflow condition harmless.
(Well, sort of: the overflow can still crash the process, but at least
it prevents suid/sgid programs with buffer overflow bugs from giving
away privs.)
My question is: can this sort of thing be done with FreeBSD/i386? From
what little I know, it the 386 segment descriptors allow you to designate
a memory segment as data or code. Presumeably, an attempt to jump to a
an address within a data segment will trigger a trap. Unfortunately, I
don't know enough about i386 protected mode programming or FreeBSD's
VM subsystem to experiment with this sort of thing. From a cursory look
at the code, exec_new_vmspace() does this:
/* Allocate a new stack */
error = vm_map_find(&vmspace->vm_map, NULL, 0, (vm_offset_t *)&stack_addr,
SGROWSIZ, FALSE, VM_PROT_ALL, VM_PROT_ALL, 0);
if (error)
return(error);
VM_PROT_ALL implies VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE.
I tried using VM_PROT_READ|VM_PROT_WRITE instead, but this didn't
seem to have any effect. Somehow I get the feeling that VM_PROT_READ
implies VM_PROT_EXECUTE. If so, this is a shame. It would be great
if we could get VM_PROT_EXECUTE to actually mean something.
- Is this even possible with the i386 MMU?
- Is this possible with the FreeBSD VM subsystem? (If not, could it be
made possible?)
- Is FreeBSD (or 4.4BSD in general) dependent on the stack pages being
marked executable?
Inquiring minds want to know. I can't think of any particular reason
why you'd want the stack pages to be executable anyway, but again I don't
know enough details to judge. Could be I'm totally out in left field here.
-Bill
--
=============================================================================
-Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu
Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
"It is not I who am crazy; it is I who am mad!" - Ren Hoek, "Space Madness"
=============================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703031825.NAA17682>