non-executable stack on alpha (was Re: Security in general ..)

From: Ivan Kokshaysky (ink@jurassic.park.msu.ru)
Date: Thu Apr 20 2000 - 11:37:53 EST

On Tue, Apr 18, 2000 at 09:42:53AM -0400, Michael H. Warfield wrote:
> Smash the stack so the function returns back into the system()
> function with the parameter pointing at that string and it's game over.
> The attacker now can have as many shells on your system that he wants
> and you didn't execute a single byte of code on the stack.
>
I don't see how this could be exploited on alpha where function takes
its first 6 arguments from registers not from stack.
So I became curious and tried to run with the non-executable stack
(trivially for architectures with the _real_ page protection). So far
I have the only application which breaks - DU Netscape :-/
The patch I run at the moment is kinda quick hack and breaks other
platforms but could be easily cleaned up.
Maybe it worth making "non-executable stack" a config option for alpha?

Ivan.

--- 2.3.99-pre6-2/fs/exec.c Sat Apr 8 00:38:00 2000
+++ linux/fs/exec.c Thu Apr 20 14:25:27 2000
@@ -267,7 +267,7 @@
                 return;
         }
         flush_page_to_ram(page);
- set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY))));
+ set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY_NOEX))));
 /* no need for flush_tlb */
 }
 
@@ -292,7 +292,7 @@
                 mpnt->vm_mm = current->mm;
                 mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
                 mpnt->vm_end = STACK_TOP;
- mpnt->vm_page_prot = PAGE_COPY;
+ mpnt->vm_page_prot = PAGE_COPY_NOEX;
                 mpnt->vm_flags = VM_STACK_FLAGS;
                 mpnt->vm_ops = NULL;
                 mpnt->vm_pgoff = 0;
--- 2.3.99-pre6-2/include/linux/mm.h Thu Apr 13 12:46:10 2000
+++ linux/include/linux/mm.h Thu Apr 20 14:28:33 2000
@@ -89,7 +89,7 @@
 #define VM_SEQ_READ 0x00008000 /* App will access data sequentially */
 #define VM_RAND_READ 0x00010000 /* App will not benefit from clustered reads */
 
-#define VM_STACK_FLAGS 0x00000177
+#define VM_STACK_FLAGS 0x00000133
 
 #define VM_READHINTMASK (VM_SEQ_READ | VM_RAND_READ)
 #define VM_ClearReadHint(v) (v)->vm_flags &= ~VM_READHINTMASK
--- 2.3.99-pre6-2/include/asm-alpha/pgtable.h Thu Apr 13 12:46:10 2000
+++ linux/include/asm-alpha/pgtable.h Thu Apr 20 14:22:17 2000
@@ -92,6 +92,7 @@
 #define PAGE_NONE __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOR | _PAGE_FOW | _PAGE_FOE)
 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
+#define PAGE_COPY_NOEX __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
 

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:17 EST