From owner-freebsd-security Sun Aug 25 23:47:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA21708 for security-outgoing; Sun, 25 Aug 1996 23:47:35 -0700 (PDT) Received: from psychotic.communica.com.au (gw.communica.com.au [203.8.94.161]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA21703 for ; Sun, 25 Aug 1996 23:47:31 -0700 (PDT) Received: from communica.com.au (newton@frenzy [192.82.222.1]) by psychotic.communica.com.au (8.6.12/8.6.9) with SMTP id QAA25931; Mon, 26 Aug 1996 16:14:16 +0930 Received: by communica.com.au (4.1/SMI-4.1) id AA23586; Mon, 26 Aug 96 16:14:08 CST From: newton@communica.com.au (Mark Newton) Message-Id: <9608260644.AA23586@communica.com.au> Subject: Re: Vulnerability in the Xt library (fwd) To: imp@village.org (Warner Losh) Date: Mon, 26 Aug 1996 16:14:07 +0930 (CST) Cc: gene@starkhome.cs.sunysb.edu, security@FreeBSD.org In-Reply-To: <199608260605.AAA07212@rover.village.org> from "Warner Losh" at Aug 26, 96 00:05:52 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: > : However, this new system call could test to make sure that it is > : being executed from the text segment, which is read-only, and refuse > : to perform if not. > > Well, couldn't the code that was inserted onto the stack copy itself > somewhere handy, make that a read only text segment, and make these > calls? > Why is the stack segment executable in the first place? Or does Intel > require this? Because this would fall over if it wasn't: main(int ac, char **av) { time_t localtime, (*yukky)(time_t *) = time; yukky(&localtime); printf("%s", ctime(&localtime)); } - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-373-2523 Communica Systems WWW: http://www.communica.com.au