On Wed, Jan 03, 2001 at 11:13:31PM +0200, Dan Aloni wrote:
> It is known that most remote exploits use the fact that stacks are
> executable (in i386, at least).
>
> On Linux, they use INT 80 system calls to execute functions in the kernel
> as root, when the stack is smashed as a result of a buffer overflow bug in
> various server software.
>
> This preliminary, small patch prevents execution of system calls which
> were executed from a writable segment. It was tested and seems to work,
> without breaking anything. It also reports of such calls by using printk.
Cool.
> --- linux/arch/i386/kernel/process.c Wed Jan 3 22:57:42 2001
> +++ linux/arch/i386/kernel/process.c Wed Jan 3 22:57:55 2001
> @@ -765,3 +765,8 @@
> }
> #undef last_sched
> #undef first_sched
> +
> +void print_bad_syscall(struct task_struct *task)
> +{
> + printk("process %s (%d) tried to syscall from an executable segment!\n", task->comm, task->pid);
^^^^^^^^^^
I suppose this should read "writable"...
> +}
Erik
-- J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department of Electrical Engineering, Faculty of Information Technology and Systems, Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands Phone: +31-15-2783635 Fax: +31-15-2781843 Email: J.A.K.Mouw@its.tudelft.nl WWW: http://www-ict.its.tudelft.nl/~erik/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jan 07 2001 - 21:00:16 EST