oss-sec mailing list archives

Re: Qualys Security Advisory - The Stack Clash


From: Daniel Micay <danielmicay () gmail com>
Date: Thu, 22 Jun 2017 02:00:52 -0400

Is it planned to have glibc use a larger 1M gap for secondary stacks
rather than a single guard page? That would be a *lot* easier than it
was to set it up for the main thread stack. It follows the main thread
stack rlimit as a guideline so it seems to make sense to use the same
guard region size too. If it ends up exposed as a sysctl, it could read
the current value from there.

For the local setuid/setgid/setcap binary attack surface, the main
thread stack is most relevant, but in general many cases of large stack
frames that were found are called in threads other than the initial one.
Secondary stacks are also mixed in with other mmap allocations rather
than having a separate ASLR base and glibc doesn't do any secondary
stack ASLR. IIRC, it does cache color the stacks but not randomly and I
don't remember how much space it currently reserves for that.


Current thread: