tech-userlevel: Re: Code on stack (Re: exploit with memcpy())

Subject: Re: Code on stack (Re: exploit with memcpy())
To: None <tech-userlevel@netbsd.org>
From: David Laight <david@l8s.co.uk>
List: tech-userlevel
Date: 07/04/2002 17:56:32

> The compiler emits code to sync the I-cache after the trampoline is spit
> out onto the stack.
> 
> We could change the "sync the I-cache" code to also make a call to
> mprotect(..., PROT_READ|PROT_WRITE|PROT_EXEC).
> 
> Then, when the pmap is invoked to make the protection change, it could
> enable execution on the stack if the page being marked for execution is
> a stack page.

ISTM that someones 'little trick' of generating an on-stack
trampoline has got rather out of control!
The cost of the I-cache sync must surely overwhelm any instruction
count benefit of the trampoline?
Since code is required in libc, it might as well be the stack tidy
code.

Or have I missed something again :-(


	David

-- 
David Laight: david@l8s.co.uk