Re: Non-executable stack patch

Ingo Molnar (
Mon, 9 Jun 1997 09:54:41 +0200 (MET DST)

On Sat, 7 Jun 1997, Solar Designer wrote:

> BTW, I have just made a generic buffer overflow exploit using this method:
> it does PTRACE_SINGLESTEP to find system() entry point, and then fills the
> buffer with the following pattern: {system_addr, system_addr, string_addr,
> string_addr} -- 4 int's (16 bytes) total. This is a bit more complicated
> than what I was telling earlier (I forgot about the return address, which
> we have to leave space for), but still requires at most two tries until it
> works on an aligned buffer, and up to 8 tries on an unaligned one (which is
> the case for /usr/bin/lpr that I was testing with).

What about mapping libc always onto addresses that have a 0xab******
pattern, and then forbidding character '0xab' in argv[] and envp[] strings
[done by the kernel].

this way it would be harder to generate a valid libc address via parameter
overflow? [i'm assuming that the only open communication channel to get
attack code into the process is argv[] and envp[]]

Also, an attack warning could be issued if the kernel detects 'illegal'
characters in parameter strings (for priviledged processes only). [how
'illegal' is defined depends on locale settings]

-- mingo