From owner-freebsd-security  Mon Aug 26 04:18:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id EAA04728
          for security-outgoing; Mon, 26 Aug 1996 04:18:12 -0700 (PDT)
Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA04710
          for <security@freebsd.org>; Mon, 26 Aug 1996 04:18:06 -0700 (PDT)
Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.6.12/8.6.12) id EAA18508; Mon, 26 Aug 1996 04:17:36 -0700
From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
Message-Id: <199608261117.EAA18508@GndRsh.aac.dev.com>
Subject: Re: Vulnerability in the Xt library (fwd)
To: newton@communica.com.au (Mark Newton)
Date: Mon, 26 Aug 1996 04:17:35 -0700 (PDT)
Cc: imp@village.org, gene@starkhome.cs.sunysb.edu, security@freebsd.org
In-Reply-To: <9608260644.AA23586@communica.com.au> from Mark Newton at "Aug 26, 96 04:14:07 pm"
X-Mailer: ELM [version 2.4ME+ PL11 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> Warner Losh wrote:
> 
>  > : However, this new system call could test to make sure that it is
>  > : being executed from the text segment, which is read-only, and refuse
>  > : to perform if not.
>  > 
>  > Well, couldn't the code that was inserted onto the stack copy itself
>  > somewhere handy, make that a read only text segment, and make these
>  > calls?
>  > Why is the stack segment executable in the first place?  Or does Intel
>  > require this?
> 
> Because this would fall over if it wasn't:
> 
>   main(int ac, char **av)
>   {
>      time_t localtime, (*yukky)(time_t *) = time;
> 
>      yukky(&localtime);
>      printf("%s", ctime(&localtime));
>   }

I don't think so, the assembly generate for this is:

        movl $_time,-8(%ebp)
        leal -4(%ebp),%eax
        pushl %eax
        movl -8(%ebp),%ebx
        call *%ebx


No place did you ``execute'' stack contents, it was all data class
references.

-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation Company                 Reliable computers for FreeBSD