Re: Compiler alternatives to no-exec (was Re: non exec stack...)

David Wragg (dpw@doc.ic.ac.uk)
09 Aug 1998 00:48:46 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brandon S. Allbery KF8NH: "Re: vesafb-HOWTO v0.6 released"
Previous message: Alan Cox: "Re: rshaper-1.01, for linux-2.0"

kragen@pobox.com (Kragen) writes:
> On Fri, 7 Aug 1998, Rene Janssen wrote:
> > This is probably not sufficient for all cases. You have to put 2 zero
> > guard bytes around the return address to be more secure. Overwriting the
> > returnadress can be done from two directions in theory.
>
> It's also not sufficient for multiple overflows in the same function --
> if you can overflow the same string multiple times with progressively
> shorter strings, you can put the zero back where it belongs after
> overwriting the stuff on the other side.

But if a zero word is put on the stack, you'd need one buffer overflow
for the exploit, and one to put each zero byte back -- five on a
32-bit architecture.

However it's quite possible that some broken suid program has code
like:

for (i = 0; i < nparams; i++) {
strcpy(buffer, param[i]);
<do something with buffer>
}

-- Dave Wragg

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html

Next message: Brandon S. Allbery KF8NH: "Re: vesafb-HOWTO v0.6 released"
Previous message: Alan Cox: "Re: rshaper-1.01, for linux-2.0"