Date: Mon, 26 Aug 1996 04:17:35 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> To: newton@communica.com.au (Mark Newton) Cc: imp@village.org, gene@starkhome.cs.sunysb.edu, security@freebsd.org Subject: Re: Vulnerability in the Xt library (fwd) Message-ID: <199608261117.EAA18508@GndRsh.aac.dev.com> In-Reply-To: <9608260644.AA23586@communica.com.au> from Mark Newton at "Aug 26, 96 04:14:07 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Warner Losh wrote:
>
> > : However, this new system call could test to make sure that it is
> > : being executed from the text segment, which is read-only, and refuse
> > : to perform if not.
> >
> > Well, couldn't the code that was inserted onto the stack copy itself
> > somewhere handy, make that a read only text segment, and make these
> > calls?
> > Why is the stack segment executable in the first place? Or does Intel
> > require this?
>
> Because this would fall over if it wasn't:
>
> main(int ac, char **av)
> {
> time_t localtime, (*yukky)(time_t *) = time;
>
> yukky(&localtime);
> printf("%s", ctime(&localtime));
> }
I don't think so, the assembly generate for this is:
movl $_time,-8(%ebp)
leal -4(%ebp),%eax
pushl %eax
movl -8(%ebp),%ebx
call *%ebx
No place did you ``execute'' stack contents, it was all data class
references.
--
Rod Grimes rgrimes@gndrsh.aac.dev.com
Accurate Automation Company Reliable computers for FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608261117.EAA18508>