Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262008AbTEEHCX (ORCPT ); Mon, 5 May 2003 03:02:23 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262013AbTEEHCW (ORCPT ); Mon, 5 May 2003 03:02:22 -0400 Received: from nat-pool-rdu.redhat.com ([66.187.233.200]:57705 "EHLO devserv.devel.redhat.com") by vger.kernel.org with ESMTP id S262008AbTEEHCW (ORCPT ); Mon, 5 May 2003 03:02:22 -0400 Date: Mon, 5 May 2003 03:14:50 -0400 (EDT) From: Ingo Molnar X-X-Sender: mingo@devserv.devel.redhat.com To: linux-kernel@vger.kernel.org cc: Andi Kleen Subject: Re: [Announcement] "Exec Shield", new Linux security feature Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 888 Lines: 25 On 4 May 2003, Andi Kleen wrote: > Ingo Molnar writes: > > > ie. if the binary anywhere has code that does: > > > > system("/bin/sh") > > You just need system(char *arg) { ... } (= in every libc). Then put > /bin/sh somewhere and a pointer to it on the stack as argument and > overwrite some return address on the stack to jump to it. well, how do you put the pointer on the stack if your only way to get into the ASCII-area is to stop the overflow early and use the final \0 ? [and the parameter has to be put _after_ the enclosing \0. ] It's not 100% impossible, but in the common case looks quite unlikely. Ingo - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/