Date: Thu, 3 Feb 2005 21:20:32 +0100
From: Ingo Molnar <mingo@elte.hu>
To: pageexec@freemail.hu
Cc: linux-kernel@vger.kernel.org, Arjan van de Ven <arjanv@redhat.com>,
       "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: Sabotaged PaXtest (was: Re: Patch 4/6  randomize the stack pointer)
Message-ID: <20050203202032.GA24192@elte.hu>
References: <4201DBE7.30569.2F5D446@localhost> <4202BFDB.24670.67046BC@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4202BFDB.24670.67046BC@localhost>
User-Agent: Mutt/1.4.1i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1321
Lines: 32


* pageexec@freemail.hu <pageexec@freemail.hu> wrote:

> > > dl_make_stack_executable() will nicely return into user_input
> > > (at which time the stack has already become executable).
> > 
> > wrong, _dl_make_stack_executable() will not return into user_input() in
> > your scenario, and your exploit will be aborted. Check the glibc sources
> > and the implementation of _dl_make_stack_executable() in particular. 
> 
> oh, you mean the invincible __check_caller(). one possibility:
> 
> [...]
> [field1 and other locals replaced with shellcode]
> [value of __libc_stack_end]
> [some space for the local variables of dl_make_stack_executable and others]
> [saved EBP replaced with anything in this case]
> [saved EIP replaced with address of a 'pop eax'/'retn' sequence]
> [address of [value of __libc_stack_end], loads into eax]
> [address of dl_make_stack_executable()]
> [address of a suitable 'retn' insn in ld.so/libpthread.so]
> [user_input left in place, i.e., overflows end before this]
> [...]

still wrong. What you get this way is a nice, complicated NOP.

	Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/