Re: two things

Albert D. Cahalan (
Fri, 19 Dec 1997 04:04:58 -0500 (EST)

Andi Kleen writes:
> linux kernel account <> writes:

>> I want to point out that I have offered cash for someone to
>> find an exploit that still works with no-exec stack...

Since nobody collected, the patch is quite good.

>> Yes, it's still possible BUT very difficult. The hack must either
>> look like a trampolene or be in an app where a tram is occuring..
> Writing that exploit it pretty easy. You just have to guess the
> address of a
> exec("/bin/sh");
> code fragment in libc (e.g. in system()) or in the program itself.
> Then put this address on the stack and wait for the program to
> jump to it.

You'd think so, but some versions of the patch have a solution.
There are actually 2 solutions:

1. Randomize the stack and/or library location.
(and of course failed exploits get logged)

2. Map the library with a '\0' in the address.
It is impossible to get such an address past strcpy().

Anyway, this is an imperfect world. The patch is good.