From owner-freebsd-security  Wed Dec  1 10:59:54 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 205211509B
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Dec 1999 10:59:36 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA05119;
	Wed, 1 Dec 1999 13:59:13 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Wed, 1 Dec 1999 13:59:13 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: naiden.markacehv@usask.ca
Cc: Matt <matthew@netsol.net>, freebsd-security@FreeBSD.ORG
Subject: Re: stack overflow and security
In-Reply-To: <3844628D.E6490B17@mail.usask.ca>
Message-ID: <Pine.BSF.3.96.991201135544.4689B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I don't know if the original message author meant it or not, but the
author used the words "stack overflow" and not "buffer overflow".  In my
mind, "stack overflow" implies walking off the bottom of the available
stack space, and is usually the result of excessive recursion or
implicit allocation of something inappropriate in the function call stack.
As far as I know, there have only been denial of service possibilities
with this (i.e., process dies with SIGSEGV), and I have never heard of a
stack overflow resulting in elevated privileges for the attacker.  There
are a few potential ways you might do this, but all are pretty far-fetched
-- most involve the "rediculous thing in the stack" allocation issue.  I'm
not sure how we're handling the bottoms of thread stacks, but with the
Coda LWP package, it was possible to walk off the bottom of one stack onto
the top of another (or something else) resulting in poor behavior, which
might be exploitable.

On Tue, 30 Nov 1999, Naiden wrote:

> Matt wrote:
> > 
> > can any one help to explain how stack over security exploit. does anyone
> > know how to fix it? How it happens?
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> 
> Here is a site that answers your question..... at least the "how it
> happens" part. 
> http://www.helloworld.ca/1999/04-apr/attack_class.html
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message