All of lore.kernel.org
 help / color / mirror / Atom feed
From: Boszormenyi Zoltan <zboszor@freemail.hu>
To: Ingo Molnar <mingo@elte.hu>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
	Gabor MICSKO <gmicsko@szintezis.hu>
Subject: Re: [patch] exec-shield-2.6.0-test6-G3
Date: Thu, 09 Oct 2003 13:52:51 +0200	[thread overview]
Message-ID: <3F854C13.3010902@freemail.hu> (raw)
In-Reply-To: <Pine.LNX.4.56.0309301655330.9692@localhost.localdomain>

Hi, Ingo, Gabor,

I tried exec-shield-2.6.0-test6-G3 on 2.6.0-test7 patched with
http://www.kernel.org/pub/linux/kernel/v2.6/testing/cset/cset-20031009_0504.txt.gz
(up to cset-1.1320), it patched with some fuzz and offset differences.

I got the following exploit differences with libsafe and paxtest:

libsafe-2.0-16:
[zozo@catv-50624ad9 exploits]$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
If you see this statement, it means that the buffer
overflow never occurred.

Should I worry about it?

paxtest-0.9.1:
[zozo@catv-50624ad9 paxtest-0.9.1]$ ./paxtest
It may take a while for the tests to complete
Test results:
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 16 bits (guessed) *
Heap randomisation test (ET_EXEC)        : 13 bits (guessed) * these 3 are varying
Heap randomisation test (ET_DYN)         : 13 bits (guessed) *
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 12 bits (guessed)
Shared library randomisation test        : No randomisation  *** this changed ***
Stack randomisation test (SEGMEXEC)      : 17 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 17 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

$ uname -a
Linux catv-50624ad9.szolcatv.broadband.hu 2.6.0-test7-exec-shield-nptl #2 SMP Thu Oct 9 10:39:04 CEST 2003 i686 i686 i386 GNU/Linux
$ cat /proc/sys/kernel/exec-shield
2
$ cat /proc/sys/kernel/exec-shield-randomize
1

The system is an almost up-to-date "fedora core".
$ rpm -q glibc gcc gcc32 binutils
glibc-2.3.2-98
gcc-3.3.1-6
gcc32-3.2.3-6
binutils-2.14.90.0.6-3

Gabor MICSKO írta:

> 
> Hi!
> 
> I`ve made a port of the Ingo's last exec-shield patch. This is my second
> patch, so please test this one carefully. 
> 
> Against vanilla 2.6.0-test6:
> http://www.hup.hu/old/stuff/kernel/exec-shield/exec-shield-2.6.0-test6-G3
> 
> 
> Comments, feedbacks welcome.

-- 
Best regards,
Zoltán Böszörményi

---------------------
What did Hussein say about his knife?
One in Bush worth two in the hand.


  reply	other threads:[~2003-10-09 11:52 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-29  9:11 [patch] exec-shield-2.6.0-test6-G3 Boszormenyi Zoltan
2003-09-29  9:23 ` Ingo Molnar
2003-09-30 14:57 ` Ingo Molnar
2003-10-09 11:52   ` Boszormenyi Zoltan [this message]
2003-10-09 12:23     ` Arjan van de Ven
2003-10-11  7:51       ` Ingo Molnar
2003-10-11  8:04     ` Ingo Molnar
  -- strict thread matches above, loose matches on Subject: below --
2003-09-29  9:45 Boszormenyi Zoltan
2003-09-29  9:49 ` Ingo Molnar
2003-09-29 10:24   ` Boszormenyi Zoltan
2003-09-28 14:57 Gabor MICSKO
2003-09-28 16:01 ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3F854C13.3010902@freemail.hu \
    --to=zboszor@freemail.hu \
    --cc=gmicsko@szintezis.hu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.