> [...] Some buffer
> overflows are still exploitable, by making the program put the shellcode
> somewhere else in its memory space, not on the stack, and overwriting the
> return address to point to that area. [...]
would it be a good idea to strip off the highest bit in env[] and args[]
when exec()-ing? This makes it quite hard to pass shellcode to the
process? We can get this bit cutoff very cheap by trivially modifying
copy_strings() in exec.c. [hm, this breaks 8-bit character sets?]
for the BSS/malloc() things we could theoretically get the kernel to put
executable mmap()-ed areas into the 0-1G range, and the rest into the
1G-2G range. [whee, reinventing segmented memory ...]. As most if not all
code is independent of what type of area mmap() gives us, this seems to be
doable via ext2fs attributes. Then USER_CS would be in the 0-1G range.
but the Right Thing would be if Intel fixed their page protection bits to
honor exec permissions actually ...
-- mingo