Mitigate Stack Clash #26750
Mitigate Stack Clash #26750
Conversation
fpletz
added
1.severity: mass-rebuild
| @@ -50,7 +50,11 @@ if [[ ! $hardeningDisable =~ "all" ]]; then | |||
| if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi | |||
| hardeningLDFlags+=('-z' 'now') | |||
| ;; | |||
| *) | |||
| stackcheck) | |||
| if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi | |||
There was a problem hiding this comment.
"enabling bindnow" is copied from above, I guess?
fpletz
force-pushed
the
fix/stack-clash-hardening
branch
2 times, most recently
from
aed00a5 to
4bedc3e
Compare
fpletz
changed the title
|
I added patches to mitigate Stack Clash in the kernel, exim & glibc. This is what Debian is doing in unstable and stable. The cc-wrapper change should IMHO be tested on master first and released with 17.09. |
|
I'm surprised you're saying the cc-wrapper won't be picked. Why not? |
|
@volth The patch does not apply cleanly on 4.4. I decided to only patch the default kernels for 17.03 and master for now. You can take a shot at it if you want. :) @grahamc The stackcheck hardening could potentially break software. Debian only updated the 3 mentioned packages. The fix in the kernel also mitigates the problem for all userspace applications without stackcheck hardening. Debian doesn't add |
This fixes the Stack Clash issue rediscovered by Qualys. See https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt for more information on the topic, specifically section III. We don't have the kernel mitigation available because it is a Grsecurity feature which we don't support anymore. Other distributions like Gentoo Hardened and Arch already have `-fstack-check` enabled by default. See the Gentoo page on Stack Clash for more information on this solution: https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash This unfortunately doesn't apply to clang because `-fstack-check` is a noop there. Note that the GCC implementation also has problems that could be exploited to circumvent these checks but it is still better than keeping it disabled.
fpletz
force-pushed
the
fix/stack-clash-hardening
branch
from
1d3fb84 to
ed22de0
Compare
fpletz
force-pushed
the
fix/stack-clash-hardening
branch
from
ed22de0 to
2296bf3
Compare
|
Merged master into staging and rebased this PR to staging. My preliminary tests look good and I'd like to merge this to staging in a few hours. |
|
Did another rebuild with the changes on staging. All green. Let's do this. :) |
This fixes the Stack Clash issue rediscovered by Qualys. See https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt for more information on the topic, specifically section III.
We don't have the proposed kernel mitigation available because it is a Grsecurity feature which we don't support anymore. Other distributions like Gentoo Hardened and Arch already have
-fstack-checkenabled by default.See the Gentoo page on Stack Clash for more information on this solution: https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash
This unfortunately doesn't apply to clang because
-fstack-checkis a noop there. Note that the GCC implementation also has problems that could be exploited to circumvent these checks but it is still better than keeping it disabled.This PR also includes fixes for stack clash related problems in the Linux kernel, glibc and exim which were identified by Qualys.
Status of this PR
I'm in the process of recompiling and testing a few packages.As this is a security-sensitive issue and a mass rebuild, I opened the PR as soon as possible to let others provide feedback on this change.This will be merged to
staging. Everything except thecc-wrapperchanges will be cherry-picked torelease-17.03.