Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261155AbVA0UDk (ORCPT ); Thu, 27 Jan 2005 15:03:40 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261153AbVA0UDa (ORCPT ); Thu, 27 Jan 2005 15:03:30 -0500 Received: from canuck.infradead.org ([205.233.218.70]:13070 "EHLO canuck.infradead.org") by vger.kernel.org with ESMTP id S261169AbVA0UDF (ORCPT ); Thu, 27 Jan 2005 15:03:05 -0500 Subject: Re: Patch 4/6 randomize the stack pointer From: Arjan van de Ven To: linux-os@analogic.com Cc: John Richard Moser , Linux kernel , akpm@osdl.org In-Reply-To: References: <20050127101117.GA9760@infradead.org> <20050127101322.GE9760@infradead.org> <41F92721.1030903@comcast.net> <1106848051.5624.110.camel@laptopd505.fenrus.org> <41F92D2B.4090302@comcast.net> Content-Type: text/plain Date: Thu, 27 Jan 2005 21:02:58 +0100 Message-Id: <1106856178.5624.128.camel@laptopd505.fenrus.org> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-3) Content-Transfer-Encoding: 7bit X-Spam-Score: 4.1 (++++) X-Spam-Report: SpamAssassin version 2.63 on canuck.infradead.org summary: Content analysis details: (4.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.3 RCVD_NUMERIC_HELO Received: contains a numeric HELO 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [] 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address [80.57.133.107 listed in dnsbl.sorbs.net] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [80.57.133.107 listed in dnsbl.sorbs.net] X-SRS-Rewrite: SMTP reverse-path rewritten from by canuck.infradead.org See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1057 Lines: 28 On Thu, 2005-01-27 at 14:19 -0500, linux-os wrote: > Gentlemen, > > Isn't the return address on the stack an offset in the > code (.text) segment? > > How would a random stack-pointer value help? I think you would > need to start a program at a random offset, not the stack! > No stack-smasher that worked would care about the value of > the stack-pointer. the simple stack exploit works by overflowing a buffer ON THE STACK with a "dirty payload and then also overwriting the return address to point back into that buffer. (all the security guys on this list will now cringe about this over simplification; yes reality is more complex but lets keep the explenation simple for Richard) pointing back into that buffer needs the address of that buffer. That buffer is on the stack, which is now randomized. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/