Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
stack-clash implications
atoth at atoth
Jun 20, 2017, 4:02 PM
Post #1 of 2 (1674 views)
Permalink
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
The advisory suggests:
1. Increase the size of the stack guard-page to at least 1MB
- I skip this point
2. Recompile all userland code with GCC's "-fstack-check" option
- I checked current and recent gcc versions.

6.3.0 seems to be fine:
gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0)
gcc -dumpspecs | grep -B 1 stack-check
*cc1:
%{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu)
%{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}}
%{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC:
-fPIC}}}}}%{fstack-check|fstack-check=*:;: -fstack-check}

5.4.0 also looks fine:
gcc version 5.4.0 (Gentoo Hardened 5.4.0-r3 p1.3, pie-0.6.5)
gcc -dumpspecs | grep -B 1 stack-check
*esp_cc1_ssp:
%{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}}
--
*esp_options_ssp:
%{nostdlib|ffreestanding|fno-stack-protector|fstack-protector|
fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all}
%{fstack-check|fstack-check=*:;: -fstack-check}

I assume it is OK like this.
Please confirm this conclusion.
Thx: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Re: stack-clash implications [ In reply to ]
klondike at gentoo
Jun 20, 2017, 4:10 PM
Post #2 of 2 (1674 views)
Permalink
El 21/06/17 a las 01:02, "Tóth Attila" escribió:
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
> The advisory suggests:
> 1. Increase the size of the stack guard-page to at least 1MB
> - I skip this point
> 2. Recompile all userland code with GCC's "-fstack-check" option
> - I checked current and recent gcc versions.
>
> 6.3.0 seems to be fine:
> gcc version 6.3.0 (Gentoo Hardened 6.3.0 p1.0)
> gcc -dumpspecs | grep -B 1 stack-check
> *cc1:
> %{!mandroid|tno-android-cc:%(cc1_cpu) %{profile:-p};:%(cc1_cpu)
> %{profile:-p} %{!mglibc:%{!muclibc:%{!mbionic: -mbionic}}}
> %{!fno-pic:%{!fno-PIC:%{!fpic:%{!fPIC:
> -fPIC}}}}}%{fstack-check|fstack-check=*:;: -fstack-check}
>
> 5.4.0 also looks fine:
> gcc version 5.4.0 (Gentoo Hardened 5.4.0-r3 p1.3, pie-0.6.5)
> gcc -dumpspecs | grep -B 1 stack-check
> *esp_cc1_ssp:
> %{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}}
> --
> *esp_options_ssp:
> %{nostdlib|ffreestanding|fno-stack-protector|fstack-protector|
> fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all}
> %{fstack-check|fstack-check=*:;: -fstack-check}
>
> I assume it is OK like this.
> Please confirm this conclusion.
> Thx: Dw.

Stack-check is enabled since (at least) 4.8.4. But you'll need to have
recompiled the whole system with stack-check enabled so it will work as
it should as commented on
https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html

I'm working on preparing a statement we can publish on behalf of the
project, but I'm unsure when it'll be ready.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal