Date: Mon, 26 Aug 1996 04:21:10 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> To: dg@root.com Cc: imp@village.org, gene@starkhome.cs.sunysb.edu, security@FreeBSD.ORG Subject: Re: Vulnerability in the Xt library (fwd) Message-ID: <199608261121.EAA18518@GndRsh.aac.dev.com> In-Reply-To: <199608260633.XAA00528@root.com> from David Greenman at "Aug 25, 96 11:33:45 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> >: However, this new system call could test to make sure that it is > >: being executed from the text segment, which is read-only, and refuse > >: to perform if not. > > > >Well, couldn't the code that was inserted onto the stack copy itself > >somewhere handy, make that a read only text segment, and make these > >calls? > > > >Why is the stack segment executable in the first place? Or does Intel > >require this? > > There isn't any notion of "executable" in the x86 page table mechanism. You > could probably use the user code selector to limit execution to low (lower > than the stack) addresses, but you'd have to deal with the signal trampoline. What are we loading into SS? Is it just a copy of the DS? If so couldn't a seperate SS segment be set up with type SDT_MEMRWA or SDT_MEMRW, or since this is a stack shouldn't it be SDT_MEMRWD or MEMRWDA? -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608261121.EAA18518>