From owner-freebsd-security Mon Aug 26 04:21:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA04964 for security-outgoing; Mon, 26 Aug 1996 04:21:36 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA04950 for ; Mon, 26 Aug 1996 04:21:29 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.6.12/8.6.12) id EAA18518; Mon, 26 Aug 1996 04:21:10 -0700 From: "Rodney W. Grimes" Message-Id: <199608261121.EAA18518@GndRsh.aac.dev.com> Subject: Re: Vulnerability in the Xt library (fwd) To: dg@root.com Date: Mon, 26 Aug 1996 04:21:10 -0700 (PDT) Cc: imp@village.org, gene@starkhome.cs.sunysb.edu, security@FreeBSD.ORG In-Reply-To: <199608260633.XAA00528@root.com> from David Greenman at "Aug 25, 96 11:33:45 pm" X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > >: However, this new system call could test to make sure that it is > >: being executed from the text segment, which is read-only, and refuse > >: to perform if not. > > > >Well, couldn't the code that was inserted onto the stack copy itself > >somewhere handy, make that a read only text segment, and make these > >calls? > > > >Why is the stack segment executable in the first place? Or does Intel > >require this? > > There isn't any notion of "executable" in the x86 page table mechanism. You > could probably use the user code selector to limit execution to low (lower > than the stack) addresses, but you'd have to deal with the signal trampoline. What are we loading into SS? Is it just a copy of the DS? If so couldn't a seperate SS segment be set up with type SDT_MEMRWA or SDT_MEMRW, or since this is a stack shouldn't it be SDT_MEMRWD or MEMRWDA? -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD