Subject: Re: ssp and gcc-4.1
To: None <,>
From: gabriel rosenkoetter <>
List: tech-userlevel
Date: 11/08/2006 21:52:15
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 07, 2006 at 10:19:14AM -0800, Jason Thorpe wrote:
> On Nov 7, 2006, at 10:16 AM, Thor Lancelot Simon wrote:
> >As Christos pointed out to me elsewhere, we can't really provide an
> >interface by which alloca() can move the canary and inform the parent,
> >because exploit code could use that interface, too.  :-/
> Uh, even without an interface to do it, exploit code could certainly =20
> move the canary anyway, right?

I think the height of the bar over which the exploit Thor describes
must jump is uniformly lower than the height of the bar over which
the exploit you describe must jump, Jason.

Am I missing something?

(Yes, "height of the bar" is reducible to "degree of obscurity of the
security hole", but still...)

gabriel rosenkoetter

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.2.2 (FreeBSD)