Re: Linux kernel patch to remove stack exec permission

Ingo Molnar (mingo@pc5829.hil.siemens.at)
Mon, 14 Apr 1997 16:36:03 +0200 (MET DST)


On Sat, 12 Apr 1997 solar@sun1.ideal.ru wrote:

> [...] Some buffer
> overflows are still exploitable, by making the program put the shellcode
> somewhere else in its memory space, not on the stack, and overwriting the
> return address to point to that area. [...]

would it be a good idea to strip off the highest bit in env[] and args[]
when exec()-ing? This makes it quite hard to pass shellcode to the
process? We can get this bit cutoff very cheap by trivially modifying
copy_strings() in exec.c. [hm, this breaks 8-bit character sets?]

for the BSS/malloc() things we could theoretically get the kernel to put
executable mmap()-ed areas into the 0-1G range, and the rest into the
1G-2G range. [whee, reinventing segmented memory ...]. As most if not all
code is independent of what type of area mmap() gives us, this seems to be
doable via ext2fs attributes. Then USER_CS would be in the 0-1G range.

but the Right Thing would be if Intel fixed their page protection bits to
honor exec permissions actually ...

-- mingo