frostbyte
fb@chibacity.com
On Tue, 10 Jun 1997, Solar Designer wrote:
> Hello!
>
> > What about mapping libc always onto addresses that have a 0xab******
> > pattern, and then forbidding character '0xab' in argv[] and envp[] strings
> > [done by the kernel].
>
> Well, there's a similar idea which I already implemented, and which I like
> better (since people need characters like 0xab allowed).
>
> It is to map libc at 0x00001000+ so there's always a zero byte in the
> address. That way it's not possible to pass any parameters to the function
> being called, since in most cases you have to overflow with an ASCIIZ string.
> And even if there's a suitable function with no parameters, you would have to
> overwrite the return address only, not fill with a pattern (unfortunately
> x86s are little endian, so the address itself can be put in ASCIIZ; it will
> terminate the string though).
>
> Here goes a dirty kernel patch for mmap(), use it in addition to my
> non-executable stack patch. Warning: this is x86-only, I should make a
> #define in some architecture-specific includes in the real patch instead.
>
> --- /extra/linux-2.0.30/mm/mmap.c Fri Nov 22 11:25:17 1996
> +++ linux/mm/mmap.c Mon Jun 9 02:20:25 1997
> @@ -308,7 +308,7 @@
> if (len > TASK_SIZE)
> return 0;
> if (!addr)
> - addr = TASK_SIZE / 3;
> + addr = 0x00001000;
> addr = PAGE_ALIGN(addr);
>
> for (vmm = find_vma(current->mm, addr); ; vmm = vmm->vm_next) {
>
> I'm running this right now, no problems so far (both ELF and a.out binaries
> work just fine).
>
> Signed,
> Solar Designer
>
>