Date: Mon, 20 Jul 1998 15:09:58 -0600 From: Warner Losh <imp@village.org> To: Brett Glass <brett@lariat.org> Cc: Alexandre Snarskii <snar@paranoia.ru>, Archie Cobbs <archie@whistle.com>, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807202109.PAA13333@harmony.village.org> In-Reply-To: Your message of "Mon, 20 Jul 1998 11:14:33 MDT." <199807201714.LAA19993@lariat.lariat.org> References: <199807201714.LAA19993@lariat.lariat.org> <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199807201714.LAA19993@lariat.lariat.org> Brett Glass writes: : Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special : hardware designed to guard against these exploits. The mechanisms : they designed are called "segments" and "call gates" (among other : things). And what do we do? We turn it off. In fact, Intel sees : so few people using these vital features that it doesn't bother : to speed them up in new CPU models, as they do other parts of : the chip. How do you enable call gates, and how do they fix these problems? How exactly do call gates eliminate this problem? The kernel already uses segments to manage security, so I don't think I understand your comment about this. Can you elaberate in more detail how exactly these tools will solve the problems that we're having? Specifically the problem of overwriting the return address, to say setuid with an arg of 0. While it isn't arbitrary code, it does give you elevated privs. I don't see how any of them can solve that problem. Educate me please. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807202109.PAA13333>