Date: Sun, 4 May 2003 04:52:49 -0400 (EDT)
From: Ingo Molnar <mingo@redhat.com>
To: "Calin A. Culianu" <calin@ajvar.org>
cc: Carl-Daniel Hailfinger <c-d.hailfinger.kernel.2003@gmx.net>,
       <linux-kernel@vger.kernel.org>
Subject: Re: [Announcement] "Exec Shield", new Linux security feature
In-Reply-To: <Pine.LNX.4.44.0305040404300.12757-100000@devserv.devel.redhat.com>
Message-ID: <Pine.LNX.4.44.0305040448250.24497-100000@devserv.devel.redhat.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1406
Lines: 34


On Sun, 4 May 2003, Ingo Molnar wrote:

> > IIRC, x86 ints have the high-order byte _last_ (ie the fourth byte).
> > What's to stop someone from, say, smashing a buffer (and consequently
> > return-address) on the stack using something like {0x01, 0x01, 0x01,
> > 0x00} which is really address '65793' in base-10.  The above is a valid
> > ASCII string (3 1's followed by a NUL) which could conceivably end up on
> > the stack as the result of an errant strcpy() or gets() or whatever...
> 
> you are right, it is possible to use the enclosing \0 to generate an
> address into the first 16MB, but how do you get any arguments passed to
> that function?

ie. if the binary anywhere has code that does:

	system("/bin/sh")

then this address can be jumped to and an exploit becomes possible. Also,
in the case of non-ASCII overflows the attacker has a much higher degree
of freedom to create a proper stackframe.

wrt. address-space randomization, "prelink -R" already provides quite good
randomization of the shared library addresses, which should give some
statistical protection against remote attacks, i dont think we'll need
kernel support for that.

	Ingo

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/