Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261369AbUFJNfk (ORCPT ); Thu, 10 Jun 2004 09:35:40 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261347AbUFJNfk (ORCPT ); Thu, 10 Jun 2004 09:35:40 -0400 Received: from 34.mufa.noln.chcgil24.dsl.att.net ([12.100.181.34]:9982 "EHLO tabby.cats.internal") by vger.kernel.org with ESMTP id S261321AbUFJNfb (ORCPT ); Thu, 10 Jun 2004 09:35:31 -0400 Content-Type: text/plain; charset="CP 1252" From: Jesse Pollard To: "Robert White" , "'Ingo Molnar'" , "'Christoph Hellwig'" , "'Mike McCormack'" , Subject: Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2 Date: Thu, 10 Jun 2004 08:35:17 -0500 X-Mailer: KMail [version 1.2] References: In-Reply-To: MIME-Version: 1.0 Message-Id: <04061008351700.11472@tabby> Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1573 Lines: 31 On Wednesday 09 June 2004 15:53, Robert White wrote: > Which is why I, later in the same message, wrote: > > Architecturally the easy-application-accessible switch should be something > more than a syscall to prevent a return-address-twiddle invoking the call > directly. I'd make it a /proc/self something, or put it in a separate > include-only-if-used shared library or something. If the minimal distance > is opening and writing a normally-untouched file then you get a nice > support matrix. (e.g. no file means no feature, file plus action means > executable stack, no action means system default (old can, new cannot), > hacks would require a variable (fd) and executing arbitrary code to open > and write that file, programs/programmers that want/need the old behavior > can achieve it without having to know how to manipulate their ELF headers > or tool-chains, etc.) > > Which is not susceptible to the 1-2 attack you mention below because the > open and write cannot be done on a protected stack or heap, since it would > then have to be (er... ) executed to perform the hack. > > Ahhhh, yes... no. This only means the 1-2 attack must be done in two steps (maybe three). 1. create the file (first buffer overflow) 2. write? (second buffer overflow - depends on whether file must have value) 3. disable NX (third) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/