Re: Foot-in-mouth: Re: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2

Perry Harrington (pedward@sun4.apsoft.com)
Thu, 6 Aug 1998 20:10:37 -0700 (PDT)

No, but the problem could be solved by setting the sp to the next page
boundary on the stack, and then protecting the page, you would write the
return addresses to the protected page. Does a processor internal fetch
generate a trap instruction, or is it only when you have an explicit
reference? (on the x86)

Incidentally, changing whether the stack grows up or down would fix it,
because you want the stack to grow in the same direction that a memory
write goes, so that you're not writing the return address AFTER the
stack buffers in memory, this is what grow downs do.

Maybe I'm blowing monkeys out my arse, I'm not sure.

--Perry

>
> Oops! I just realized that the expand-down vs. expand-up has
> absolutely nothing to do with the way the ESP register works...
> but this makes me wonder if such a stack is available on any
> architectures? Hmm... sorry for wasting bandwidth, but
> IMHO this would be a very good solution to the problem if it
> is available on any architectures
>
> Joseph Malicki

-- 
Perry Harrington       Linux rules all OSes.    APSoft      ()
email: perry@apsoft.com 			Think Blue. /\


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html