cvs commit: src/contrib/gcc protector.c protector.h Makefile.in calls.c combine.c cse.c explow.c expr.c flags.h function.c gcse.c integrate.c libgcc2.c loop.c optabs.c reload1.c toplev.c src/gnu/usr.bin/cc/cc_int Makefile

David Rhodus drhodus at catpa.com
Thu Dec 11 06:55:21 PST 2003


Craig Dooley wrote:

Yes, you can still put stuff on the heap and jump there, and you can
still smash the stack if you're lucky.  OpenBSD W^X just plays games
with Intel segmentation, but can still be used to do wierd things, such
as change the stack, and the return address to libc exec if you could
figure it out.  AMD64 has non-executable page protections, and this
should help, but a canary still provided more protection than nothing.
-Craig
 

One thing that comes to mind is a lot of the games that have been ported 
to Unix
will jump and execute functions for entering the registration keys for 
the software
on the stack and other wired things that OpenBSD's W^X break.

People have been running different types of non-exec stack/heaps for 
years now
and about every six months a paper is released on how to by-pass the 
protection.
I personally think spending much time trying to "protect" the ia32 
platform is
meaningless, until registers are added to the chip to mark pages as 
non-executable.

-DR






More information about the Commits mailing list