Re: [RFC] prevention of syscalls from writable segments, breaking bugexploits

From: Brian Gerst (bgerst@didntduck.org)
Date: Wed Jan 03 2001 - 16:48:23 EST


Dan Aloni wrote:
>
> It is known that most remote exploits use the fact that stacks are
> executable (in i386, at least).
>
> On Linux, they use INT 80 system calls to execute functions in the kernel
> as root, when the stack is smashed as a result of a buffer overflow bug in
> various server software.
>
> This preliminary, small patch prevents execution of system calls which
> were executed from a writable segment. It was tested and seems to work,
> without breaking anything. It also reports of such calls by using printk.

Do you realise how much overhead you just added to every single
syscall? It won't work anyways, for the same reasons every other
non-exec stack patch has been rejected - exploits exist that don't write
any code to the stack, you just need two pointers.

--

Brian Gerst - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jan 07 2001 - 21:00:16 EST