VM_PROT_EXEC on the stack
Kostik Belousov
kostikbel at gmail.com
Sat Jun 14 20:46:50 UTC 2008
On Sat, Jun 14, 2008 at 07:44:12PM +0200, Ed Schouten wrote:
> Hello everyone,
>
> I'm not a real guru when it comes to low level x86 hardware stuff, but
> some time ago I read somewhere that the NX bit on AMD64 CPU's could be
> used to mark the stack as non-executable, making it impossible to
> execute code on the stack (through buffer overflows).
>
> When I look at procstat -v's output on FreeBSD/amd64, I see the stack
> has VM_PROT_EXEC. Is there a specific reason for this?
There are at least two issues with marking stack non-executable.
First, kernel copies the signal trampoline code fragments at the top
of the stack. This may be worked around by splitting one page from the
stack and marking it executable. Or, the code may be moved to the libc.
Second issue is that, in principle, stack may be used by the
compiler-generated trampolines. New gnu toolchain creates the GNU_STACK
phdr that informs ld.so that non-executable stack is permitted (in fact,
I think that it is p_flags of the phdr that defines required protection
for the stack segment mappings). GNU_STACK is created when all linked
relocatable objects contain .note.GNU-stack.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-amd64/attachments/20080614/5ffa14c5/attachment.pgp
More information about the freebsd-amd64
mailing list