Re: [RFC] prevention of syscalls from writable segments, breaking bug exploits

From: Pavel Machek (pavel@suse.cz)
Date: Wed Jan 03 2001 - 17:30:52 EST


Hi!

> It is known that most remote exploits use the fact that stacks are
> executable (in i386, at least).
>
> On Linux, they use INT 80 system calls to execute functions in the kernel
> as root, when the stack is smashed as a result of a buffer overflow bug in
> various server software.
>
> This preliminary, small patch prevents execution of system calls which
> were executed from a writable segment. It was tested and seems to work,
> without breaking anything. It also reports of such calls by using
> printk.

Haha.

So exploit needs to call libc function to do dirty work for it. Not so
big deal.

Okay, it might do a trick and deter script kiddies; still it is even
weaker then non-executable stack patches.

                                                                Pavel

-- 
I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents at discuss@linmodems.org
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jan 07 2001 - 21:00:18 EST