From owner-freebsd-security Sun Aug 25 23:09:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20135 for security-outgoing; Sun, 25 Aug 1996 23:09:44 -0700 (PDT) Received: from bsd7.cs.sunysb.edu (bsd7.cs.sunysb.edu [130.245.1.197]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA20130 for ; Sun, 25 Aug 1996 23:09:42 -0700 (PDT) Received: (from uucp@localhost) by bsd7.cs.sunysb.edu (8.6.12/8.6.9) with UUCP id CAA14434; Mon, 26 Aug 1996 02:09:36 -0400 Received: (from gene@localhost) by starkhome.cs.sunysb.edu (8.7.5/8.6.9) id CAA13408; Mon, 26 Aug 1996 02:08:34 -0400 (EDT) Date: Mon, 26 Aug 1996 02:08:34 -0400 (EDT) From: Gene Stark Message-Id: <199608260608.CAA13408@starkhome.cs.sunysb.edu> To: imp@village.org CC: security@freebsd.org In-reply-to: <199608260605.AAA07212@rover.village.org> (message from Warner Losh on Mon, 26 Aug 1996 00:05:52 -0600) Subject: Re: Vulnerability in the Xt library (fwd) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >: However, this new system call could test to make sure that it is >: being executed from the text segment, which is read-only, and refuse >: to perform if not. > >Well, couldn't the code that was inserted onto the stack copy itself >somewhere handy, make that a read only text segment, and make these >calls? The text segment is set up by the kernel when the process starts. I don't think there are any system calls that allow it to be extended. >Why is the stack segment executable in the first place? Or does Intel >require this? I could be wrong, but I think there is no way to execute-protect pages on the Intel architecture. Just read and write. - Gene