BTW: Anyone have an idea why they do it for 64bit binaries? It seems
complete nonsense there. They can achieve the same e.g. by simply designing a
right memory map, for example:
0 nothing
16GB binary
data
heap
|
v
...
^
|
stack (ie. all stack addresses look like 0x000007XXXXXXXXXX)
8TB memory hole
-8TB mmap area (ie. first 4GB of shared libs have addresses
| like 0xfffff800XXXXXXXX)
v
...
end_of_memory
Like that, a buffer overflow will very unlikely succeed to execute any code
on the stack (as i7 would have to include two zeros initially (we're big
endian :)), and as libraries will be mmaped from -8TB onwards, I'm sure the
most common will have addresses like 0xfffff800XXXXXXXX, so even there, one
won't be able to fully control the low 32bits of the return call address).
Not counting that the cracker, unless he'll make changes to frame 7
functions up in the call trace, must ensure the task gets an irq or syscall
just before filling the buffer with the attack string.
So, I'm not telling a overflow attack is impossible in such a memory
configuration, but I think it is totally equal in the amount of difficulty
for a cracker to write a succesful buffer overflow attack.
Of course, 32bit binaries are much weaker in this respect.
Cheers,
Jakub
___________________________________________________________________
Jakub Jelinek | jj@sunsite.mff.cuni.cz | http://sunsite.mff.cuni.cz
Administrator of SunSITE Czech Republic, MFF, Charles University
___________________________________________________________________
Ultralinux - first 64bit OS to take full power of the UltraSparc
Linux version 2.1.114 on a sparc64 machine (498.80 BogoMips).
___________________________________________________________________
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html