Re: non-executable stack on alpha (was Re: Security in general ..)

From: Michael H. Warfield (mhw@wittsend.com)
Date: Thu Apr 20 2000 - 11:11:43 EST

On Thu, Apr 20, 2000 at 08:37:53PM +0400, Ivan Kokshaysky wrote:
> On Tue, Apr 18, 2000 at 09:42:53AM -0400, Michael H. Warfield wrote:
> > Smash the stack so the function returns back into the system()
> > function with the parameter pointing at that string and it's game over.
> > The attacker now can have as many shells on your system that he wants
> > and you didn't execute a single byte of code on the stack.
> >
> I don't see how this could be exploited on alpha where function takes
> its first 6 arguments from registers not from stack.
> So I became curious and tried to run with the non-executable stack
> (trivially for architectures with the _real_ page protection). So far
> I have the only application which breaks - DU Netscape :-/
> The patch I run at the moment is kinda quick hack and breaks other
> platforms but could be easily cleaned up.
> Maybe it worth making "non-executable stack" a config option for alpha?

        So then all you need is a location in code which pops values into
the registers from the stack and returns? Somewhat more difficult to
pull off, but not much. Just like the hack to get around the zeros
in the library function addresses, remember, you can generally exploit some
segment of code in the program to do small tasks like poping registers or
calling library functions for you.

> Ivan.

> --- 2.3.99-pre6-2/fs/exec.c Sat Apr 8 00:38:00 2000
> +++ linux/fs/exec.c Thu Apr 20 14:25:27 2000
> @@ -267,7 +267,7 @@
> return;
> }
> flush_page_to_ram(page);
> - set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY))));
> + set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY_NOEX))));
> /* no need for flush_tlb */
> }
>
> @@ -292,7 +292,7 @@
> mpnt->vm_mm = current->mm;
> mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
> mpnt->vm_end = STACK_TOP;
> - mpnt->vm_page_prot = PAGE_COPY;
> + mpnt->vm_page_prot = PAGE_COPY_NOEX;
> mpnt->vm_flags = VM_STACK_FLAGS;
> mpnt->vm_ops = NULL;
> mpnt->vm_pgoff = 0;
> --- 2.3.99-pre6-2/include/linux/mm.h Thu Apr 13 12:46:10 2000
> +++ linux/include/linux/mm.h Thu Apr 20 14:28:33 2000
> @@ -89,7 +89,7 @@
> #define VM_SEQ_READ 0x00008000 /* App will access data sequentially */
> #define VM_RAND_READ 0x00010000 /* App will not benefit from clustered reads */
>
> -#define VM_STACK_FLAGS 0x00000177
> +#define VM_STACK_FLAGS 0x00000133
>
> #define VM_READHINTMASK (VM_SEQ_READ | VM_RAND_READ)
> #define VM_ClearReadHint(v) (v)->vm_flags &= ~VM_READHINTMASK
> --- 2.3.99-pre6-2/include/asm-alpha/pgtable.h Thu Apr 13 12:46:10 2000
> +++ linux/include/asm-alpha/pgtable.h Thu Apr 20 14:22:17 2000
> @@ -92,6 +92,7 @@
> #define PAGE_NONE __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOR | _PAGE_FOW | _PAGE_FOE)
> #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
> #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
> +#define PAGE_COPY_NOEX __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
> #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
> #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)

        Mike 

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:17 EST