GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 19 Jun 2017 22:27:01 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #70 received at 27429 <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: 27429 <at> debbugs.gnu.org
Subject: Re: bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check
Date: Sun, 25 Jun 2017 11:38:28 +0200

Hi,

what do you all think of rebuilding the world with "-fstack-check" (either now or later on) ?

That would make gcc emit code to always grow the stack in a way that it certainly touches each 4 KiB (parametrizable by STACK_CHECK_PROBE_INTERVAL_EXP) page on the way.

I think that would be the right and permanent fix - unlike the whack-a-mole approach where we patch programs not to do what they are supposed to do, if their stack allocation happens to grow.

See also <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> and <https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html>.

Note that the kernel itself has to put argv and envp into the user process' stack and this can already make the very first stack allocation that a process does in its main() need to grow the stack, and reach across the guard page.  So the right fix is to just make the stack allocations never reach across the guard page without using it.

This bug report was last modified 7 years and 309 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #27429 Stack clash (CVE-2017-1000366 etc)

GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)