On Thu, 7 Nov 2002, Linas Vepstas wrote: > On Wed, Nov 06, 2002 at 10:14:34AM +0800, John Summerfield was heard to remark: > > On Wed, 6 Nov 2002 04:39, you wrote: > > > x86 alas doesnt support page level "no execute". Other platforms do and > > > can run with nonexec stacks. People still exploit them. The libraries > > > are mostly mapped read only on Linux, people don't need to modify them. > > > You put arguments on the stack, and corrupt the return code to call the > > > right C library function. > > > > In IA32, you cannot execute stack-segment code. > > > > Because of the way Linux (and other oses) are designed, with a single address > > space per process, the stack segment and code segment are the same storage, > > and that's how you get to put executable code on the stack and have it > > execute. > > I don't know ia32. You don't need to put code into the stack. You > only need to modify the return address, and have a subroutine > return to a different location. To modify the return address, you only > need write access to the stack, you don't need execute permissions.
On IA32, if it's not in the code segment, you can't execute it. The code segment _can_ be ro, so presumably a return to arbitrary code can be prevented. -- Cheers John. Please, no off-list mail. You will fall foul of my spam treatment. Join the "Linux Support by Small Businesses" list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
