Re: some guard against stack overflow attack

Sat, 5 Feb 2000 10:32:01 -0800 

    I think this will break dynamically loaded code.  Also, library
    fixups may be writable and even if we don't embed jump instructions
    in them now who knows what might be done in the future.  Even if 
    we enforced this all it would accomplish is to make the cracks a 
    little more sophisticated.

    Linux messes around with the user code segment.  By limiting its 
    size it can be made to 'miss' the user stack, preventing code from
    being executable on the stack.  This is a zero-cost solution.  However,
    there has been a lot of resistance to implementing it in FreeBSD 
    because it is an i386-specific solution rather then a general solution,
    and is really more of a mask on the problem instead of a fix.

                                        -Matt
                                        Matthew Dillon 
                                        <[EMAIL PROTECTED]>


:Hi folks
:
: I'd like to propse a simple guard against stack overflow attack.
: The idea is very simple: just prevent system call from writable
: user area (i.e. data & bss area) except SYS_sigreturn.
:
: It has few performance penalty and can prevent trivial stack
: overflow attack such as simply executing shell.
:
:
:*** /usr/src/sys/i386/i386/trap.c-ORIG Mon Aug 30 01:05:56 1999
:--- /usr/src/sys/i386/i386/trap.c      Fri Feb  4 22:30:44 2000
:***************
:*** 1074,1079 ****
:--- 1074,1090 ----
:  
:       if (p->p_sysent->sv_mask)
:               code &= p->p_sysent->sv_mask;
:+ /* begin XXXXXXX -- prevent system call from writable user area */
:+      if (code != SYS_sigreturn &&
:+          ((int)(*vtopte(frame.tf_eip-frame.tf_err))&(PG_V|PG_RW|PG_U))
:+              != (PG_V|PG_U)) {
:+              printf("pid%d: %d@0x%08x\n",
:+                     p->p_pid, code, frame.tf_eip-frame.tf_err);
:+              trapsignal(p, SIGILL, T_PRIVINFLT);
:+              error = -1; /* just prevent warning */
:+              goto bad_syscall;
:+      }
:+ /* end XXXXXXX */
:  
:       if (code >= p->p_sysent->sv_size)
:               callp = &p->p_sysent->sv_table[0];
:***************
:*** 1140,1145 ****
:--- 1151,1159 ----
:               frame.tf_eflags &= ~PSL_T;
:               trapsignal(p, SIGTRAP, 0);
:       }
:+ /* begin XXXXXXX */
:+ bad_syscall:
:+ /* end XXXXXXX */
:  
:       userret(p, &frame, sticks);



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to