Greetings.

There is such a thing as a buffer overflow: we are overwriting the return address in the stack with some other one, which contains the instructions we want to execute. And most likely to the address that belongs to the stack segment (well, or heaps). Why does the processor, when EIP points to an address not from the code segment, do not panic and fail to produce a segmentation error? Is it not tracked by flags in the segment descriptor?

Wikipedia says that there is no such protection, but then a reasonable question arises, why?

  • Because. All this is an additional complication and increase in the cost of the processor and OS (and the reduction in speed). Who needs it? Do not write such programs. Or write for processors of Harvard architecture, it is simply impossible there. - alexlz
  • 2
    Good question. We must of course clarify that we are talking about x86 and not a plain memory model. IMHO (but I can be very wrong ) in Linux uses memory protection with access attributes (rwx) in the page table MMU. Such a transition there should cause an error if the trace mode is not enabled. Usually the stack is “spoiled” by emulating a call (actually returning to the entry point) of an existing function with the necessary parameters. - avp
  • I am just reading now ozon.ru/context/detail/id/4833854 I cannot even launch the first “training” exploit, because every time the stack base is in a random place = (Can anyone tell me what to do about it?: ) - Tim Rudnevsky
  • And what is the first "educational" exploit? Or do you first need to find a book, read it, and then answer? Then wait for someone to read this conduit and bother to answer. And also about the "stall break". By the end of the 90s, evil programmers conducted a sabotage action - they significantly limited the capabilities of such exploits. In particular, in the programs for the network all kinds of strcat, strcpy and other strlen were eliminated as a class. - alexlz
  • 2
    Oh, I see. There is a carpet-plane, but its mole has eaten. - alexlz

1 answer 1

Regarding the discussion that has developed in the comments (about the random arrangement of the stack in memory), you can read about Address Space Layout Randomization . Regarding the possibility or impossibility of memory execution, it was interesting for me to read about PaX . Accidentally stumbled upon an article Kaspersky Buffer overflow on systems with non-executable stack , now I know a lot of buzzwords :)