Re: WordPad/riched20.dll buffer overflow

From: Christopher Rhodes (chrisrat_private)
Date: Fri Nov 26 1999 - 13:06:26 PST

Next message: Marc Heuse: "SuSE Security Announcement - new security tools"

Previous message: Alessandro Rubini: "Re: local users can panic linux kernel (was: SuSE syslogdadvisory)"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Glynn Clements: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The 386 and up supports no-exec, but only on differing segments.  Most OS
systems aren't properly implemented on the 386+ architecture.  The 386+
supports read-only pages in the paging architecture, but to separate
executable code from stack and data, you have to point the segment
registers at differing memory areas.  If they overlap, which simplifies
memory management, then the code, data and stack are all shared.  An
entire segment, according to the Intel documentation, can set aside as
non-executable.

I think one of the major problems with the Linux implementation, and
apparently windows too, is that noone pays attention to the added security
provided by segmentation (at least to the point of putting the stack on a
different segment?)  I've not delved into that portion of the Linux
source, but maybe I will someday if I have some free time.  (I got my info
from a copy of Intel's pentium family processor architecture and
programming manual.)

(I'm talking about the code and data bits in the segment registers.)

Chris Rhodes

-------------------------------------------------------------------------
"Note:  The information contained in this message and any attachments to
it may be privileged and confidential.  If the reader of this message is
not the intended recipient or the recipient's appointed agent, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer."
-------------------------------------------------------------------------

On Fri, 26 Nov 1999 pedwardat_private wrote:

> I seem to recall a Linux kernel guru explaining that the x86 MMU doesn't actually
> support non-exec pages, or some such.  It doesn't support it, or it just doesn't
> work right.  I remember bringing up the issue of noexec and that was the answer.
>
> --Perry
>
> >     Ok, here it is, on page 58, it's talking about Access Control of virtual
> > pages, and it says, literally if a page can be read, it can be executed. I
> > remember that this took my attention for some days, then I forgot about it, until
> > you mentioned it.
> >
> >     richie
>
> --
> Perry Harrington                 Director of                   zelur xuniL  ()
> perryat_private             System Architecture               Think Blue.  /\
>

Next message: Marc Heuse: "SuSE Security Announcement - new security tools"
Previous message: Alessandro Rubini: "Re: local users can panic linux kernel (was: SuSE syslogdadvisory)"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Glynn Clements: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:28 PDT