| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87funcqicc.fsf@mid.deneb.enyo.de>
Date: Mon, 31 Oct 2016 23:11:47 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: Daniel Micay <danielmicay@...il.com>
Cc: Jann Horn <jann@...jh.net>, Kees Cook <keescook@...omium.org>,
kernel-hardening@...ts.openwall.com,
Andrew Morton <akpm@...ux-foundation.org>,
Michal Hocko <mhocko@...e.com>, Ingo Molnar <mingo@...nel.org>,
Andy Lutomirski <luto@...nel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [kernel-hardening] Re: [PATCH] fork: make whole stack_canary random
* Daniel Micay:
> On Mon, 2016-10-31 at 22:38 +0100, Florian Weimer wrote:
>> * Daniel Micay:
>>
>> > -fstack-stack is supposed to handle a single guard by default, and
>> > that's all there is for thread stacks by default.
>>
>> Okay, then I'll really have to look at the probing offsets again.
>> It's been on my to-do list since about 2012, and arguably, it *is* a
>> user-space thing.
>
> This is concerning too:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66479
Thanks. This also shows the large stack pointer decrement:
subq $4144, %rsp
orq $0, (%rsp)
I really don't see how this can be safe with just a single guard page.
> It might be prevented for VLAs by using -fsanitize=vla-bound -fsanitize-
> trap=vla-bound but probably not alloca (or the older -fsanitize-
> undefined-trap-on-error for GCC, since for some reason it doesn't seem
> to have the new way).
It's certainly reasonable to expect that this was covered by
-fstack-check.
Powered by blists - more mailing lists