Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)

[Ingo Molnar]

* pageexec@xxxxxxxxxxx <pageexec@xxxxxxxxxxx> wrote:

> > > dl_make_stack_executable() will nicely return into user_input
> > > (at which time the stack has already become executable).
> > 
> > wrong, _dl_make_stack_executable() will not return into user_input() in
> > your scenario, and your exploit will be aborted. Check the glibc sources
> > and the implementation of _dl_make_stack_executable() in particular. 
> 
> oh, you mean the invincible __check_caller(). one possibility:
> 
> [...]
> [field1 and other locals replaced with shellcode]
> [value of __libc_stack_end]
> [some space for the local variables of dl_make_stack_executable and others]
> [saved EBP replaced with anything in this case]
> [saved EIP replaced with address of a 'pop eax'/'retn' sequence]
> [address of [value of __libc_stack_end], loads into eax]
> [address of dl_make_stack_executable()]
> [address of a suitable 'retn' insn in ld.so/libpthread.so]
> [user_input left in place, i.e., overflows end before this]
> [...]

still wrong. What you get this way is a nice, complicated NOP.

	Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/