tech-userlevel: Re: Code on stack (Re: exploit with memcpy())

Subject: Re: Code on stack (Re: exploit with memcpy())
To: Ignatios Souvatzis <ignatios@tarski.cs.uni-bonn.de>
From: Jason R Thorpe <thorpej@wasabisystems.com>
List: tech-userlevel
Date: 07/04/2002 09:31:50

On Thu, Jul 04, 2002 at 10:54:04AM +0200, Ignatios Souvatzis wrote:

 > The procedure that seems appropriate is to have some flag in the executable
 > that tells the exec() call to turn stack executability on. The toolchain would
 > create it, if necessary. (If the sysadmin hasn't {switched of, compiled out of
 > the kernel} support of this.).

You don't even need to do this.

The compiler emits code to sync the I-cache after the trampoline is spit
out onto the stack.

We could change the "sync the I-cache" code to also make a call to
mprotect(..., PROT_READ|PROT_WRITE|PROT_EXEC).

Then, when the pmap is invoked to make the protection change, it could
enable execution on the stack if the page being marked for execution is
a stack page.

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>