Re: Preventing Pentium Deaths

John Wyszynski (wyszynsk@cc204346-a.hwrd1.md.home.com)
Tue, 11 Nov 1997 00:40:39 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nathan Bryant: "Re: Whee.. inode changed from under us. Tell Linus"
Previous message: Albert D. Cahalan: "Re: Preventing Pentium Deaths"

The Pentium can only execute what is in the code segment. A process cannot
write to code memory and then execute it without it first being validated. At
the time the process wrote to "some_variable" that page could not be mapped
into the code segment; it would have to be unmapped in the code segment area
or a page fault on the write would occur and the page removed from the code
segment area. One must understand that code segments cannot be written and
data segments cannot be executed.

John Wyszynski

> On Mon, Nov 10, 1997 at 06:42:41PM -0500, John Wyszynski wrote:
> [...]
> > (1) if (euid == 0) then the page is valid
> > (2) if (group #xxx is in the group set of the process) then the page is valid
> > (3) scan the page for for the magic opcodes, including the edges of pages if
> > instruction crosses passes it.
> [...]
>
> You're missing the point. Scanning for the F0 0F C7 C8 sequence will
> not work - one can e.g. calculate it from other values:
>
> movl $0x3738f00f,%eax
> notl %eax
> movl %eax,some_variable
> ...
>
> is just one simple example where the "magic bytes" are not found by a
> memory scan. So why waste time?
>
> --
> Michael "Tired" Riepe <Michael.Riepe@stud.uni-hannover.de>
> "All I wanna do is have a little fun before I die"

Next message: Nathan Bryant: "Re: Whee.. inode changed from under us. Tell Linus"
Previous message: Albert D. Cahalan: "Re: Preventing Pentium Deaths"