Comment 1 for bug 139592

Hopefully the future "pointer encryption" routines in libc will help head this off as well. Patches are welcome, though I suspect, as you say, there are many more things beyond just "/bin/sh" in the libc code, including possible register build-up chaining[1], which would be nearly impossible to stop without lots of work.

[1] http://www.suse.de/~krahmer/no-nx.pdf