Date: Sun, 19 Jul 1998 16:28:00 -0600 From: Brett Glass <brett@lariat.org> To: dg@root.com Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807192228.QAA03712@lariat.lariat.org> In-Reply-To: <199807192155.OAA18816@implode.root.com> References: <Your message of "Sun, 19 Jul 1998 14:47:25 MDT." <199807192047.OAA02264@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Putting the code on the user's stack is an interesting notion, but does not seem to me that executing code from the stack is the only way to clean up after a signal. The code could be in a runtime library, in a specially-created segment, or on a special read-only page mapped into the user space for that purpose. This would be cleaner. In fact, the page might be shared among processes returning from signals. I'd much rather see this technique revised than leave a hole open for buffer overflow attacks. We don't want to get a reputation for lax security. --Brett At 02:55 PM 7/19/98 -0700, David Greenman wrote: >>We're going to be spending about a man-month rebuilding a complex system >>that was hacked due to a buffer overflow exploit. Looking back at our >>system log files, I can see exactly how the hack was done and how the >>perpetrator was able to get root. >> >>What I CAN'T understand is why FreeBSD allows the hack to occur. Why on >>Earth would one want to allow code to be executed from the stack? The Intel >>segmentation model normally prevents this, and there's additional hardware >>in the MMU that's supposed to be able to preclude it. Why does the OS leave >>this gigantic hole open? Why not just close it? > > Two words: Signal Trampoline. For an explaination, see the mailing list >archives for -hackers, search for 'signal trampoline'. > >-DG > >David Greenman >Co-founder/Principal Architect, The FreeBSD Project > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807192228.QAA03712>