SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-22-2008, 12:04 PM
| ||||
| ||||
 Re: __atexit question On Tue, Jan 24, 2006 at 06:08:00PM +0200, ramrunner wrote: > after reading *once more* after opencon the expl-mitigation slides, i > failed to understand how openbsd handles the __atexit global symbol. > if i am not mistaken it needs to be on wx mem. It's a linked list of pages containing pointers to functions (which are called on exit). None of these pages are ever executable (as they never contain any code), so the point is not executability. The point is that a page is only readable (not writable) outside of the atexit() function itself. So naive shell-code will segfault when it tries to modify the list (with the intention of getting a function pointer in there to be executed on exit). It would have to mprotect() the page writable first (like atexit() itself does), or have __atexit point to somewhere else entirely (which presumably needs more instructions and/or makes it more difficult to write). It's not uncircumventable, the idea is that the author of the shell-code has to spend more time adjusting his code than it took us to adjust atexit.c  Daniel      |
Linear Mode
